Volume  39  of  111 

(Accused  Copy) 


_ VERBATIM _ 1 

RECORD  OF  TRIAL2 

(and  accompanying  papers) 

of 


MANNING,  Bradley  E. 

PFC/E-3 

(Name:  Last,  First,  Middle  Initial) 

(Social  Security  Number) 

(Rank) 

Headquarters  and 
Headquarters  Company, 


United  States  Army  Garrison 

U . S .  Army 

Fort  Myer,  VA  22211 

(Unit/Command  Name) 

(Branch  of  Service) 

(Station  or  Ship) 

By 


GENERAL  COURT-MARTIAL 


Convened  by  Commander 

(Title  of  Convening  Authority) 

UNITED  STATES  ARMY  MILITARY  DISTRICT  OF  WASHINGTON 
(Unit/Command  of  Convening  Authority) 

T  ried  at 


Fort  Meade,  MD  on  see  below 

(Place  or  Places  of  Trial)  (Date  or  Dates  of  Trial) 


Date  or  Dates  of  Trial: 

23  February  2012,  15-16  March  2012,  24-26  April  2012,  6-8  June  2012,  25  June  2012, 

16-19  July  2012,  28-30  August  2012,  2  October  2012,  12  October  2012,  17-18  October  2012, 

7- 8  November  2012,  27  November  -  2  December  2012,  5-7  December  2012,  10-11  December  2012, 

8- 9  January  2013,  16  January  2013,  26  February  -  1  March  2013,  8  March  2013, 

10  April  2013,  7-8  May  2013,  21  May  2013,  3-5  June  2013,  10-12  June  2013,  17-18  June  2013, 
25-28  June  2013,  1-2  July  2013,  8-10  July  2013,  15  July  2013,  18-19  July  2013, 

25-26  July  2013,  28  July  -  2  August  2013,  5-9  August  2013,  12-14  August  2013, 

16  August  2013,  and  19-21  August  2013. 


1  insert  "verbatim"  or  "summarized"  as  appropriate.  (This  form  will  be  used  by  the  Army  and  Navy  for  verbatim  records  of  trial  only.) 

2  See  inside  back  cover  for  instructions  as  to  preparation  and  arrangement. 


DD  FORM  490,  MAY  2000 


PREVIOUS  EDITION  IS  OBSOLETE. 


Front  Cover 


o 


o 


1  systems  by  which  they  do  day  to  day  business  on  and  to  report  any 

2  anomalies  or  violations  that  they  may  see  to  their  —  to  their 

3  appropriate  security  officials. 

4  Q.  Mr.  Weaver,  when  is  the  user  allowed  to  install  Wget? 

5  A.  Never,  sir.  That  user  would  not  have  those  permissions. 

6  ATC [CPT  von  ELTEN] :  Returning  Prosecution  Exhibit  to  the  court 

7  reporter  [handing  the  document  to  the  court  reporter] .  Nothing 

8  further,  ma'am. 

9  MJ:  Cross? 

10  ADC [CPT  TOOMAN] :  Yes,  ma’am. 

1 1  CROSS-EXAMINATION 

12  Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 


13 

Q. 

Good  afternoon. 

Mr.  Weaver. 

14 

A. 

Good  afternoon. 

sir. 

15 

Q. 

Mr.  Weaver,  do 

you  know  what  an  "executable  file"  is? 

16 

A. 

Yes,  sir. 

17 

Q. 

What  is  it? 

18 

A. 

It's  a  —  an  executable  file  would  allow  for  a  program 

19  application  to  run  its  directions  or  instructions  by  the  system  — 

20  would  execute  that  file  or  program  —  it's  the  instructions. 

21  Q.  Okay.  Do  you  know  whether  or  not  the  S-2  Section  of  PFC 

22  Manning's  unit,  2/10  Mountain  Division  —  do  you  know  whether  or  not 

23  they  permitted  executable  files  to  be  run  on  their  - 


8564 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


A.  I  do  not  know  that  answer,  sir. 

Q.  Okay.  Sir,  you  talked  a  little  bit  about  the  IA  training 
and  threats  that  are  discussed  within  that  training.  Is  A1  Qaeda 
discussed  specifically  in  that  training? 

A.  There  are  —  the  foreign  threats,  sir,  are  discussed  in  the 
current  versions  of  the  training.  I  don't  remember  if  it  was  in 
previous  versions,  but  they  do  talk  to  nation,  state  or  foreign 
actors  in  the  training.  So,  you  know,  it's  just  another  series  of 
bad  guys. 

Q.  Okay.  To  the  extent  you  can  remember  those  past  versions, 
are  those  foreign  groups  just  grouped  generally  or  are  they 
specifically  listed? 

A.  They  are  specifically  listed  by  activists,  activists 
hacker,  insider  threat,  foreign  state.  So  there's  a  number  of  them. 

I  don't  remember  the  exact  numbers.  There's  a  group. 

Q.  So  those  are  broad  categories,  they  don't  get  specific  for, 
example,  and  say  A1  Qaeda? 

A.  No,  sir.  That  would  —  that  would  cross  some  of  the 
boundaries  of  potentially  classified  or  extremely  sensitive 
information  that  obviously  the  CDs  are  not  designed  for  those. 

Q.  Okay,  and  so  based  on  that  answer,  I  assume  that  they  don't 
specifically  mention  A1  Qaeda  in  the  Arabian  peninsula  either? 

A.  I  don't  believe  they  do. 


8565 


O 


O 


1  Q. 

And  I  don't  —  you  would  —  you  would  say  that  the  IA 

2  training 

also  doesn't  discuss  whether  or  not  specific  groups  use  the 

3  internet 

—  particular  internet  sites? 

4  A. 

I  —  that's  a  different  —  so  as  a  general  user  you 

5  probably 

would  not  make  that  inference  as  an  IA  guy  with  --  with 

6  access  to  classified.  You  could  say  that's  —  that's  easily  seen  in 

7  —  in  the  videos. 


8  Q. 

But  the  training  doesn't  say  A1  Qaeda  uses  WikiLeaks  — 

9  A. 

No,  sir. 

10  Q. 

--  or  Al  Qaeda  uses  ESPN.com? 

11  A. 

Not  that  I  know  of.  No,  sir. 

12  Q. 

Okay.  Now,  you  talked  about  AR  25-2  and  the  punitive 

13  paragraphs,  and  the  purpose  of  AR  25-2  was  to  give  some  teeth  to  the 

14  IA  regulation,  correct? 


15  A. 

That  is  a  true  statement.  Yes,  sir. 

16  Q. 

And  while  its  intention  was  to  give  teeth,  you  would  also 

17  say  that 

AR  25-2  is  open  to  interpretation? 

18  A. 

As  all  regulations  are,  sir,  they  are  open  to 

19  interpretation,  yes,  sir. 

20  Q.  And  indeed  AR  25-2,  from  your  view,  is  a  regulation  that 

21  really  the  decisions  about  what's  authorized  and  what's  not 

22  authorized  should  be  made  at  the  unit  level,  correct? 

23  A.  No,  sir. 


8566 


© 


O 


1  Q.  No. 

2  A.  I  disagree.  The  AR  25-2  outlines  standard  Army  practices 

3  and  principles  by  which  a  IA  should  be  conducted  understanding  it  is 

4  a  part  of  the  anti-security  domain,  not  just  a  piece  of  the  security 

5  functions.  It  incorporates,  you  know,  the  guidance  and  the 

6  responsibility  that  it's  not  just  one  thing.  It's  a  whole  list  all 

7  things . 

8  Q.  Okay,  so  25-2  sort  of  provides  a  baseline  standard? 

9  A.  Yes,  sir. 

10  Q.  You  would  agree,  though,  that  a  commander  in  a  unit  could 

11  deviate  from  AR  25-2? 

12  A.  A  commander  by  his  —  by  his  position  would  have  the 

13  authority  to  do  so  but  he  would  do  so  with  the  advice  and  the 

14  understanding  of  his  security  staff,  his  G6  staff,  his  intelligence 

15  staff.  It's  not  a  decision  he  would  execute  unknowingly  or  without 

16  merit,  and  he  could  still  be  subject  —  subject  to  a  higher  level 

17  authority,  which  he  would  have  to  rescind  that  authorization. 

18  Q.  Sure,  so  the  individual  —  the  individual  would  consider 

19  kind  of  the  pros  and  the  cons,  and  if  they  deviated  from  25-2  they 

20  would  assume  some  risk? 

21  A.  Yes,  sir.  But  in  my  experiences  that  risk  is  usually 

22  surfaced  at  a  higher  level  to  ensure  that  it  doesn't  impose  a  greater 

23  risk  across  the  enterprise  or  across  the  Army.  So  in  my  experiences 


8567 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


o 


dealing  with  the  exceptions  or  waivers  to  AR  25-2  it  is  always  done 
in  concert  with  the  commander,  not  solely  by  the  commander.  So  he 
makes  those  decisions  with  the  advice  of  not  only  his  local  staff  but 
also  his  higher  headquarter  staff,  and  many  times  at  the  Army  level. 

Q.  You  would  agree  that  a  deviation  from  25-2,  if  there  were  a 
deviation  and  a  commander  or  a  supervisor  had  approved  it,  you 
wouldn't  hold  an  individual  responsible  under  25-2  in  a  situation 
where  the  chain  of  command  had  said  it's  okay  if  you  do  that? 

A.  I'm  not  sure  of  the  question.  If  the  command  —  so  if  the 
user  —  if  the  user  followed  due  process  and  requested  the 
appropriate  action  and  the  leadership  has  approved  that  action,  then 
it's  the  leadership's  responsibility  obviously  to  manage  and  monitor 
that  —  that  action  or  that  request. 

Q.  Okay,  so  if  a  junior  Soldier  was  told  by  his  supervisor  or 
his  chain  of  command  that  something  was  allowed,  you  would  expect  the 
junior  Soldier  to  rely  upon  the  chain  of  command? 

A.  Yes,  sir. 

ADC [CPT  TOOMAN] :  One  moment,  please. 

Q.  Mr.  Weaver,  would  your  —  what  is  your  understanding  as  to 
whether  or  not  music  would  be  permitted  to  be  stored  on  --  on  a 
system? 

A.  Do  you  want  the  regulation  answer  or  in  my  opinion,  sir? 

Q.  Let's  go  with  the  regulation  answer. 


8568 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


o 


o 


A.  Okay. 

A.  So  the  answer  would  be  there  should  be  a  process  in  place 
by  which  a  commander  authorized  those  activities  or  actions  for  which 
they  would  support  MWR  or  health  and  welfare  or  morale  associated 
with  his  environment.  It  is  not  arbitrary  do  as  you  want  to  do  or  do 
whatever  you  want  to  do  process.  It  should  be  requested.  It  should 
be  a  process  by  which  it  is  approved  and  the  manner  in  which  it  is 
approved  is  —  is  followed  every  time  and  obviously  enforced  when  it 
is  not  followed. 

Q.  Sure.  So  a  commander,  if  authorizing  music,  would  go 
through  the  process  you  described.  But  the  language  of  25-2  wouldn't 
allow  for  music  to  be  stored  on  a  system,  correct? 

A.  The  intent  of  AR  25-2  is  not  to  allow  music  on  a  —  on  a 

network  due  to  the  fact  that,  a,  it  violates  copyright  laws  for  one, 
and,  secondly,  it  is  potentially  fraught  with  malware  on  the  CDs  that 
you  would  upload  from.  So  those  have  to  be  approved  in  case  as  well. 

Q.  Would  —  you  said  the  same  is  true  of  games? 

A.  Yes,  sir.  Absolutely. 

Q.  What  about  —  what  about  executable  files? 

A.  Absolutely. 

Q.  Now,  let's  go  into  —  that  was  the  regulation  answer. 

What's  the  reality? 


8569 


o 


9 


1  A.  So  the  reality  is  is  a  commander  has  a  —  responsible  for 

2  health  and  welfare  of  his  networks  and  of  his  Soldiers.  And  so  as 

3  such,  there  should  be  a  policy  or  opportunity  by  which  it  is  done 

4  correctly  in  mitigating  the  risk  associated  with  those  activities. 

5  The  copyright  problem  aside,  there  are  technically  feasible  ways  by 

6  which  your  infrastructure  guys  and  security  guys  and  —  or  gals  —  I 

7  apologize  to  the  ladies  in  the  room,  sorry  —  and  your  security  folks 

8  can  implement  those  control  measures  to  mitigate  the  risk  associated 

9  with  offering  that  kind  of  service.  Or  just  outright  prohibit  and 

10  look  at  alternatives  by  which  they  could  satisfy  the  requirement  if 

11  they  have  one. 

12  ADC [CPT  TOOMAN] :  Thank  you,  Mr.  Weaver. 

13  WIT:  Yes,  sir. 

14  MJ:  Redirect? 

15  REDIRECT  EXAMINATION 

16  Questions  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

17  Q.  Mr.  Weaver,  what's  the  difference  between  introducing  a 

18  system  and  storing  a  system  or  storing  a  file  and  introducing  a  file 

19  to  a  system? 

20  A.  Storing  a  file  is  anything  —  it  encompasses  a  number  of 

21  things.  One,  where  the  file  was  originally  created  or  stored,  moved, 

22  like  a  file  server  or  a  location  by  which  you,  a  user,  had  access  to, 

23  you  know,  copying  from  your  C  drive  to  a  network  drive,  for  example. 


8570 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


o 


Introducing  a  file  or  an  executable  would  be  not  necessarily 
something  that  would  be  execute  —  would  be  installation  through  a 
software  —  I'm  sorry,  through  a  hardware,  USB  token,  or  a  CD,  or 
downloading  a  file  that  has  an  executable  in  it  that  would  change  the 
configuration  of  the  system  or  —  or  had  malicious  conduct  or  intent 
mind  that  system  itself.  So  I'm  not  sure  if  I  answered  your 
question. 

Q.  Are  the  two  treated  differently  under  AR  25-2? 

A.  Yes,  sir. 

Q.  How  are  they  treated? 

A.  So  the  user  with  --  so  a  file  on  a  network  or  creation  of  a 
file  on  a  network  and  moving  documents  and  so  forth  is  —  would  be 
authorized.  Traditionally  users  do  not  have  the  authority  —  users 
do  not  have  the  authority  to  do  executable  files.  That's  what  a 
system  and  network  administrators  are  for  —  people  that  are  trained 
to  understand  the  impact  of  what  —  or  what  many  variations  or 
executables  are  and  the  impact  to  them  —  why  malware  is  bad,  why  CDs 
are  bad  because  they  could  contain  malicious  content  --  executables, 
not  just  the  files,  the  music  that's  on  that  CD,  for  example. 

ATC [CPT  von  ELTEN] :  Thank  you. 

WIT:  Yes,  sir. 

ADC [CPT  TOOMAN] :  No,  ma'am. 

MJ:  I  have  a  couple  of  questions. 


8571 


O 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


WIT:  Yes,  ma'am. 

EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  Is  the  administrator  privilege  and  user  limitations  —  are 
they  consistent  throughout  the  Army? 

A.  The  standard,  yes,  sir  —  yes,  ma'am,  I'm  sorry. 

Q.  That's  okay.  Thank  you. 

A.  Yes,  they  are  standard. 

Q.  So  did  I  understand  your  testimony  that  a  user  of  a 
Department  of  the  Army  computer  could  not  load  Wget  on  that  computer? 

A.  If  configured  correctly,  that  would  be  a  true  statement, 
ma'am.  You,  as  a  user,  cannot  load  Wget  on  their  system.  You  would 
not  have  those  permissions  to  upload  it.  And  having  —  if  I  may 
continue  — 

Q.  Yes. 

A.  —  having  access  or  ability  doesn't  equate  to 
authorization.  So  —  so  a  user  would  not  have  the  authorization  to 
do  that  executable  or  to  load  that  Wget.  That  would  be  a  system  or 
network  administrator. 

Q.  Say  that  once  —  saying  one  has  the  ability  doesn't  equal 
authorization? 

A.  Yes,  ma'am.  That's  a  fundamental  principle  of  25-2. 


8572 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


Q.  In  the  training  that  you  discussed  in  the  CDs,  does  that 
tell  users  that? 

A.  Yes,  ma'am. 

Q.  So  if  a  user  goes  on  the  internet  or  is  —  sends  an  e-mail 

with  some  kind  of  an  attached  movie  or  clip  or  something  like  that, 

is  that  considered  an  executable  file? 

A.  The  —  many  times  it  can  be,  yes,  ma'am. 

Q.  So  if  the  user  clicks  on  the  clip,  is  that  a  violation  of 
AR  25-2? 

A.  By  policy,  yes,  ma'am.  Because  you  have  no  idea  what  the 
content  of  that  movie  file  may  contain.  It  should  be  reported  as  a 
potential  security  violation  or  an  attempt  by  somebody  to  do 
malicious  content  —  malicious  activity  on  your  network. 

Q.  I  guess  that's  where  I'm  back  to  my  original  question. 

When  machines  —  when  users  are  on  Army  machines  normally  if  the  user 
tries  to  install  something  they're  not  allow  to  install,  don't  they 
get  the  box  that  says  they  have  to  have  to  have  administrator 
privileges  to  do  that? 

A.  Yes,  ma'am.  Many  times.  Yes,  ma'am. 

Q.  But  not  always? 

A.  But  —  but  based  on  how  a  partic  —  clicking  on  the  link  in 
the  e-mail  may  contain  malicious  content  that  might  load  onto  the 
computer  but  may  not  execute  until  the  next  time  you  log  off  and  log 


8573 


© 


9 


1  back  on,  for  example,  or  other  actions  that  circumvent  the  security 

2  parameters  of  --  of  that  system.  So  the  user  would  click  on  a  link, 

3  the  code  would  execute,  he  would  not  see  those  pop-ups  or  may  not  see 

4  those  pop-ups,  and  then  your  system  is  compromised.  Not  —  not  all 

5  actions  are  identified  by  the  system  when  you  install  or  maliciously 

6  accessed  content  that  might  be  sent  to  you. 

7  Q.  Assume  there  is  mission  related;  someone  sends  a  video  or 

8  someone  sends  some  kind  of  a  file  that  you  open  and  execute,  is  a 

9  user  prohibited  from  doing  that? 

10  A.  No,  ma'am.  But  —  but  it  is  usually  part  of  the 

11  operational  process  by  which  the  process  itself  —  the  control 

12  mechanisms  are  in  place  and  the  process  has  been  validated  to  be 

13  either  safe  or  approved.  So  sending  a  UA  —  UAV  video  from  side  A  to 

14  B  or  moving  a  file  from  side  A  to  B  that's  a  UAV  video  would  be 

15  operation,  and  so,  you  know,  double  clicking  on  that  to  execute  it  is 

16  —  is  approved  or  authorized. 

17  MJ:  Any  questions  based  on  mine? 

18  ATC [CPT  von  ELTEN] :  Nothing,  Your  Honor. 

19  ADC [CPT  TOOMAN] :  No,  ma'am. 

20  MJ:  Temporary  or  permanent  excusal? 

21  ATC [CPT  von  ELTEN]:  Temporary. 

22  [The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 

23  the  courtroom . ] 


8574 


© 


9 


1  TC [MAJ  FEIN]:  Your  Honor,  the  United  States  offers  to  read  a 

2  stipulation  onto  the  record.  This  is  Prosecution  Exhibit  80. 

3  Stipulation  of  Expected  Testimony  for  Mr.  Doug  Schasteen,  dated  9 

4  June  2013. 

5  It  is  hereby  agreed  to  by  the  Accused,  Defense  Counsel, 

6  Trial  Counsel,  and  Mr.  Doug  —  that  if  Mr.  Doug  Schasteen  were 

7  present  to  testify  during  the  merits  and  pre-sentencing  phases  of 

8  this  court-martial,  he  would  testify  substantially  as  follows: 

9  While  I  currently  work  for  a  private  software  company  in 

10  Seattle,  Washington,  I  was  previously  the  IT  Director  at  Willco 

11  Technologies.  I  held  that  position  for  6  years.  In  that  position,  I 

12  took  care  of  all  the  technology-related  tasks  and  served  as  the  main 

13  point  of  contact  and  database  administrator  for  the  U.S.  Army 

14  Training  &  Certifications  Tracking  System  (ATCTS) .  The  U.S.  Army 

15  hired  Willco  Technologies  to  build  and  then  maintain  a  database 

16  tracking  system  for  U.S.  Army  Information  Assurance  (IA) 

17  certification,  excuse  me.  Your  Honor,  certifications.  I  developed 

18  the  database  and  oversaw  its  development. 

19  I  recognize  Prosecution  Exhibit  114  for  Identification 

20  Bates  numbers:  00411400  through  00411401,  as  a  print  out  from  the 

21  ATCTS.  ATCTS  is  the  database  I  built,  and  it  tracks  the  activity 

22  status  of  U.S.  Army  personnel  as  well  as  the  dates  of  the  users' 

23  information  assurance  (IA)  training  certifications.  I  recognize  PE 


8575 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


9 


114  ID  as  the  one  I  provided  on  31  January  2012,  to  investigators  in 
the  present  case  against  PFC  Manning.  Along  with  PE  114  for  ID,  I 
provided  an  attestation  to  its  authenticity  notarized  by  a  Notary 
Public  and  it  is  identified  at  Bates  number:  00411399. 

PE  114  for  ID  shows  PFC  Manning's  IA  certification  status. 
It  shows  that  the  user  name:  "Bradley  Manning"  is  no  longer  active 
in  our  system.  All  Soldiers  must  have  IA  training,  at  least,  on  a 
yearly  basis.  As  a  Soldier,  he  would  have  an  account  in  our  system. 
PE  114  for  ID  shows  PFC  Manning's  IA  trainings  were  dated  5  September 
2008,  and  then  31  October  2009.  This  tells  us  that  PFC  Manning  had 
received  the  yearly  IA  training  and  associated  certification 
necessary  for  computer  usage  through  October  2010.  As  of  this  time  I 
provided  this  print  out  in  January  of  2012,  PFC  Manning  had  an 
"inactive  —  excuse  me.  Your  Honor,  "inactive"  status.  Accordingly, 
his  account  had  been  disabled  and  he  wouldn't  be  able  to  log  in.  A 
user  attains  this  status  when  he  or  she  is  not  in  compliance  with  the 
yearly  IA  requirement.  For  users  who  are  in  compliance,  their  unit 
identifiers  show  up  in  the  lines  indicating  "command"  and  "unit". 

This  training  information  is  collected  automatically  by  the 
Army  Signal  Command  at  Fort  Gordon,  GA,  when  a  user  completes  the 
annual  IA  exam  online.  It  is  then  transmitted  to  our  system  for 
automatic  updating.  Our  system  further  tracks  the  extra  training 
necessary  for  users  who  are  certified  as  a  system  administrator.  Our 


8576 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


C 


9 


system  shows  PFC  Manning  has  not  had  any  of  the  required  system 
administrator  trainings. 

Your  Honor,  the  United  States  moves  to  admit  Prosecution 
Exhibit  114  for  Identification  as  Prosecution  Exhibit  114. 

M J :  Any  objection? 

CDC [MR .  COOMBS]:  No  objection,  Your  Honor. 

MJ:  Prosecution  Exhibit  114  is  admitted. 

ATC [CPT  von  ELTEN] :  Ma'am,  the  United  States  calls  Mark  Kitz  to 
the  stand. 

MARK  KITZ,  civilian,  was  called  as  a  witness  for  the  prosecution,  was 
sworn,  and  testified  as  follows: 

DIRECT  EXAMINATION 

Questions  by  assistant  trial  counsel  [CPT  von  ELTEN] : 

Q.  Are  you  Mark  Kitz  of  Aberdeen,  Maryland? 

A.  Yes. 

Q.  Where  do  you  work? 

A.  I  work  at  Aberdeen  Proving  Ground  in  Maryland  at  the 
Program  Executive  Officer  Intelligence  Electronic  Warfare  and 
Surveillance  Program  Manager  Distributed  Common  Ground  System,  Army. 
Q.  What  is  your  educational  background? 

A.  I  have  a  bachelor's  degree  from  Lafayette  College  in 
electrical  engineering  and  a  master's  degree  in  electrical 


8577 


Q 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


engineering  as  well  from  the  New  Jersey  Institute  of  Technology,  with 
a  focus  on  communication  systems. 

Q.  How  long  have  you  been  a  government  employee? 

A.  About  13  years. 

Q.  And  what  have  you  done  in  your  time  for  the  government? 

A.  So  I  came  to  the  government  directly  out  of  college.  I 
worked  my  master's  program  while  I  was  in  college  —  I  mean  —  sorry, 
while  I  was  employed  by  the  government.  I  worked  for  the  Trojan 
Program  —  the  acronym  totally  escapes  me.  It ' s  a  communication 
system.  I  was  the  project  engineer,  project  leader,  project  manager, 
and  I  spent  about  six  or  seven  years  with  the  Trojan  Program  working 
on  the  communication  systems,  and  then  they  also  have  an  intelligence 
system  that  I  was  a  project  manager  on  as  well.  Then  I  did  —  I  was 
selected  for  an  engineering  and  scientist  exchange  rotation  in 
Adelaide,  Australia.  I  did  a  year  and  a  half  at  the  Defense  Science 
and  Technology  Organization  in  Australia.  Then  I  came  back  and  began 
working  on  DCGS-A  as  a  —  on  a  loan  from  a  S  and  T  community  and  then 
went  as  a  core  employee  or  working  directly  for  the  program  manager 
in  2011. 

Q.  How  long  have  you  worked  in  DCGS-A? 

A.  It's  a  little  over  5  years. 

Q.  What  position  did  you  have  prior  to  your  current  one? 


8578 


© 


o 


1  A.  I  started  as  an  integrated  product  team  lead  for  signals 

2  intelligence,  and  then  I  worked  my  way  up  to  becoming  the  systems 

3  engineering  lead  for  a  product  that  we  have  called  Version  3,  or  the 

4  intelligence  fusion  server  and  basic  analyst  laptop.  Then  I  was 

5  selected  to  become  the  technical  director  for  the  program  so  —  which 

6  is  the  role  I  currently  have,  which  oversees  a  portfolio  of  systems, 

7  capacity  abilities,  and  software  across  the  DCGS-A  portfolio. 

8  Q.  How  large  is  that  portfolio? 

9  A.  So  we're  an  ACAT  I  MAIS;  MAIS  -  Major  Automated  Information 

10  System.  Now  there  isn't  a  larger  category  of  acquisition  programs  in 

11  the  defense,  so  we're  a  very  large  program.  We  have  a  portfolio  of 

12  about  13  systems  fielded  from  company  to  above  Corps.  We  have  over 

13  700  server  suites,  over  5000  laptops.  We  field  to  support  the  full 

14  58,000  military  intelligence  professionals  supporting  the  Army. 

15  Q.  What  is  DCGS-A? 

16  A.  So  DCGS-A  is  essentially  a  portfolio  of  capabilities 

17  providing  intelligence,  processing,  exploitation  and  dissemination 

18  for  the  Army.  What  does  that  mean  in  lay  terms?  Every  military 

19  intelligence  analyst  in  the  Army  gets  DCGS-A;  whether  that's  a 

20  laptop,  whether  that's  a  server,  back-end  infrastructure  for  them  to 

21  save  data,  store  data  —  whether  that's  a  sensor  flying  over  the 

22  battle  space,  there's  something  on  the  ground  ingesting  that  sensor 

23  feed  and  providing  that  sens  —  that  information  to  an  analyst.  All 


8579 


Q 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


of  that  infrastructure  across  the  entire  Army  is  provided  by  DCGS-A. 
It's  relatively  difficult  to  explain  in  somewhat  really  lay  terms, 
but  everything  from  the  data  link  itself  —  from  the  piece  of 
satellite  communications  that  comes  with  it,  to  the  Microsoft  Office 
product  that  sits  on  a  laptop,  is  bought  for  by  the  DCGS-A  program 
and  is  the  acquisition  program  for  that  purchase  or  procurement. 

Q.  At  what  level  are  DCGS-A  systems  distributed? 

A.  So  today  we're  —  all  the  way  as  low  as  the  company 

intelligence  support  team.  We  actually  —  so  equip  to  the  battalions 
and  companies  --  DCGS-A  headquarters,  division  headquarters,  at  the 
Corps  headquarters,  and  then  all  the  support  brigades  and  all  of  the 
above  Corps  elements  that  have  intelligence  professionals  are 
equipped  with  DCGS-A. 

Q.  Whom  do  you  advise  in  your  current  position? 

A.  The  program  manager  for  DCGS-A,  Colonel  Charles  Wells. 

Q.  What  does  the  program  manager  do? 

A.  So  the  program  manager  is  the  chartered  —  I'm  struggling 
for  the  adjective  —  but  he  is  the  person  in  charge  of  all  of  the 
activities  within  the  portfolio.  So  the  ACAT  I  program  that  we 
mentioned  called  DCGS-A,  he  has  any  CAT  II  program  called  MFLTS  - 
Machine  Foreign  Language  Translation,  and  any  CAT  III  program  called 
CHARCS,  which  is  the  counter  intelligence  -  human  intelligence 
capability  for  the  Army.  He  manages  that  portfolio  as  the 


8580 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


e 


9 


acquisition  manager,  and  he  essentially  follows  the  5002  law  —  DoD 
5002  law  in  procuring  capability  against  the  validated  requirement  by 
the  —  by  the  —  by  the  JROC  —  by  the  joint  community. 

Q.  What  matters  do  you  advise  the  program  manager  on? 

A.  Technical  and  acquisition.  So  as  the  technical  director,  I 

advise  the  program  manager  on  trade  analysis  —  determining  how  we 
meet  requirements  and  what  software  or  what  hardware  or  what 
capabilities  are  purchased  and  how  the  teams  are  advised  —  how  the 
teams  are  proposing  those  procurement  activities.  And  then  I  also 
advise  him  on  the  acquisition  process.  How  we  move  through  the  gates 
that  are  put  up  by  OSD  and  by  Congress  that  we  have  to  statutorily  or 
regulatory  meet  in  order  to  achieve  the  capability  for  the 
warfighter. 

Q.  What  do  you  consider  when  giving  advice  to  the  program 
manager? 

A.  So  —  a  lot  of  it  comes  down  to  my  experience.  A  lot  of  it 
comes  down  to  essentially  developing  courses  of  action  that  allow  him 
to  make  an  informed  decisions  about  not  just  the  technology,  not  just 
the  acquisition  process,  but  what  is  best  and  makes  the  most  common 
sense  to  achieve  the  goals  of  the  program  and  the  Army. 

Q.  How  long  have  you  been  in  your  current  position? 

A.  Two  years. 


8581 


© 


9 


1  Q.  Let's  talk  a  little  bit  about  the  development  process.  How 

2  would  you  characterize  it? 

3  A.  So  —  the  develop  process  is,  I  wouldn't  call  it  set  in 

4  stone,  but  it  is  a  tried  and  true  process  from  an  acquisition 

5  perspective.  It's  termed  the  systems  engineering  process.  And 

6  that's  essentially  —  it  lays  out  the  outline  of  how  the  Army 

7  procures  systems  at  a  large  level  as  I  mentioned  as  ACAT  I  program. 

8  So  that  process  is  well  defined  and  —  and  —  and  it's  taught  across 

9  the  Army.  Did  I  answer  your  question? 

10  Q.  You  did.  Let's  talk  a  little  bit  about  creating  a  software 

11  setup.  How  many  —  about  how  many  steps  are  involved? 

12  A.  So  in  identifying  a  solution  --  a  piece  of  software  to  meet 

13  a  requirement,  there's  multiple  steps  involved.  The  first  would  be 

14  defining  the  requirement.  So  —  any  Army  system  would  have  a 

15  requirement  that's  defined  in  --  in  what  we  call  a  capabilities 

16  production  document;  CPD,  or  capability  description  document  called 

17  the  CDD.  We  in  DCGS-A,  since  we're  a  large  program,  we  actually  have 

18  both.  The  CDD  essentially  says,  you  know,  we  want  you  to  build  a 

19  DCGS-A  and  the  CPD  gets  to  further  detail.  So  the  first  step  of  the 

20  process  is  ensuring  that  we  have  a  solid  requirement  set  that  says 

21  will  go  build  something  that  makes  sense  for  the  Army  and  is 

22  measurable  via  a  test.  The  next  step  would  be  to  build  organizing 

23  principles  around  that  requirement.  So  in  our  CPD  we  have  20 


8582 


© 


9 


1  attributes.  So  each  attribute  has  hundreds  of  requirements 

2  associated  with  it.  So  we  organize  into  integrated  product  teams,  as 

3  I  mentioned  earlier.  Those  integrated  product  teams  are  then 

4  empowered  to  identify  solutions  and  build  out  their  own  process  on 

5  how  they  would  address  that  requirement  with  a  capability. 

6  Q.  Who  —  who  are  on  the  integrated  product  —  product  teams? 

7  A.  So  you  would  have  subject  matter  experts  —  user 

8  representation  from  TRADOC  —  from  the  Training  and  Doctrine  Command, 

9  and  systems  engineers  like  myself. 

10  Q.  How  do  they  evaluate  the  product? 

11  A.  So  essentially  you  would  evaluate  the  requirement  and 

12  refine  the  requirement  into  measurable  sets.  So  the  example  I've 

13  used  previously  is  —  the  requirement  may  say  to  go  build  a  word 

14  processor,  and  that  word  processor  —  another  requirement  in  the  word 

15  processor  may  be  to  —  we  want  to  it  support  English  and  Arabic  and 

16  Chinese,  and  so  the  requirement  would  then  —  would  be  essentially 

17  decomposed  into  smaller  chunks  —  measurable  chunks.  You  can't 

18  measure  a  requirement  that  says  build  a  word  processor.  You  can't 

19  delineate  between  different  word  processing  pieces  of  software  that 

20  would  deliver  that  capability.  So  the  IPT  would  agree  upon  a  set  of 

21  measurable  requirements  and  the  do  trade  analysis. 

22  Q.  What  is  trade  analysis? 


8583 


G 


9 


1  A.  So  trade  analysis  would  be  similar  to  releasing  a  request 

2  for  proposals.  Essentially  the  government  is  looking  for  this  set  of 

3  requirements  to  —  a  solution  that  would  meet  this  set  of 

4  requirements,  and  they  would  do  the  technical  evaluation  and  the  cost 

5  evaluation  against  those  requirements,  and  then  propose  a  solution 

6  back  to  the  larger  program  and  the  systems  engineering  process  that 

7  says  —  an  example,  I'm  the  —  I'm  in  the  signals  intelligence  IPT, 

8  I  would  propose  this  solution  to  meet  a  certain  requirement,  and  the 

9  wider  systems  engineering  community  would  accept  that  through  a 

10  series  of  gates. 

11  Q.  What  happens  after  the  solution  is  proposed  —  accepted? 

12  A.  So  the  solution  would  be  proposed  at  a  preliminary  design 

13  review  to  the  program  manager  and  the  product  manager.  They  would 

14  either  get  a  go  or  no  go  decision  at  that  point  on  their  approach  and 

15  how  they  would  address  a  solution.  And  they  would  then  identify  a 

16  solution  and  propose  that  back  at  a  critical  design  review.  And  at 

17  the  critical  design  review  the  program  manager  would  make  a  decision 

18  about  the  baseline  itself  and  whether  or  not  under  cost  schedule  and 

19  performance  parameters  we  can  execute  the  solution. 

20  Q.  Where  are  --  what  points  of  this  process  are  you  involved 

21  with? 

22  A.  So  I'm  involved  in  all  parts  of  the  process  as  an  oversight 

23  function  today.  Through  my  career  in  DCGS-A  I've  been  —  as  I 


8584 


© 


Q 


1  mentioned,  an  IPT  lead,  an  IPT  engineer,  and  a  lead  systems  engineer 

2  on  a  product.  So  I've  seen  how  the  process  works  from  all  points  of 

3  view  in  terms  of  the  process.  But  today  that's  where  I  sit.  Most  of 

4  my  functions  is  engaging  with  the  Office  of  the  Secretary  of  Defense 

5  who  also  acts  as  an  oversight  role  on  the  program  as  an  ACAT  I 

6  program.  And  so  I  act  as  their  conduit  into  the  program  so  they  can 

7  better  understand  the  objectives  and  where  we're  trying  to  go. 

8  Q.  What  happens  after  the  program  manager  makes  a  decision? 

9  A.  Essentially  contracts  are  let  and  the  solution  is  built. 

10  After  it's  integrated  and  built,  we  go  to  what  I  call  code  and  unit 

11  test  and  then  development  test  where  we  would  have  Army  test  and 

12  evaluation  command  come  in  and  evaluate  the  solution  that  was  built. 

13  And  then  upon  successful  completion  of  developmental  tests  we  would 

14  go  into  an  operational  test. 

15  Q.  What  is  an  "operational  test"? 

16  A.  An  operational  test  is  essentially  an  operational  unit 

17  using  the  system,  stressing  the  system,  and  validating  that  the 

18  system  is  effective,  suitable,  and  survivable;  does  the  system  work. 

19  Q.  Let's  talk  about  baselines.  What  is  a  "baseline"? 

20  A.  So  for  us  a  "baseline"  is  essentially  the  hardware  and 

21  software  that  we  field  and  train  to  an  Army  unit  for  them  to  use 

22  whatever  piece  of  portfolio  that  may  be.  So  as  we  come  out  of  that 

23  test,  we  provide  that  software  or  that  hardware  or  both  in  most 


8585 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


(J  0 


cases  to  the  unit  through  a  fielding  process  where  we  train  them, 
they  sign  for  the  equipment,  and  that  baseline  is  then  used  as 
essentially  their  weapon  system. 

Q.  What  is  of  the  purpose  of  the  baseline? 

A.  So  the  purpose  of  the  baseline  is  the  process  from 
requirements  to  the  —  to  the  operational  test  has  valid  --  the  Army 
has  validated  a  risk  profile  and  the  function  survivability 
essentially  and  the  suitability.  So  does  the  system  work?  Will  it 
work  for  a  long  period  of  time?  And  is  it  sustainable  by  Army 
metrics?  So  the  Army  process  has  val  —  I  shouldn't  say  the  Army 
process  —  the  process  has  validated  those  things  and  so  the  baseline 
defines  —  and  defines  a  risk  profile  for  the  Army  with  regard  to 
will  that  baseline  meet  the  warfighter's  requirements  and  work  for 
that  warfighter. 

Q.  You  just  mentioned  risk  profile.  What  are  some  of  the 
risks  the  process  tries  to  prevent  or  mitigate? 

A.  So  throughout  the  entire  process  risk  is  —  a  lot  of  —  a 

lot  of  the  program  manager's  job  is  managing  risk.  Essentially 
there's  technical  schedule  and  cost  risk  associated  with  building  any 
solution  for  the  Army.  So  managing  that  risk,  in  all  three  of  those 

facets,  is  critical  to  how  a  program  manager  executes  their  job.  So 

it's  not  just  about  technical  performance  it's  about  the  cost  and 
schedule  also  associated  in  delivering  that  solution. 


8586 


e 


o 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


Q.  What  role  does  bandwidth  play  in  determining  the  system 
setup? 

A.  So  in  terms  of  the  system  setup,  is  that  what  you  asked? 

Q.  Yes. 

A.  So  I  think  in  terms  of  the  system  setup,  I  would  think  that 
the  system  is  designed  to  be  set  up  or  to  initially  be  set  up  without 
bandwidth.  To  be  a  fully  severable  system  —  I  shouldn't  say  that  — 
most  of  the  portfolio  —  I  guess  all  of  the  portfolio  can  be  set  up 
without  any  communications  backbone.  However,  the  communications 
backbone  enables  the  analyst  access  to  information  that  they  —  they 
essentially  require  for  their  job.  So  the  system  is  enabled  by  the 
bandwidth  that's  provided,  but  in  order  to  set  it  up,  it's  not 
required. 

Q.  In  the  deployed  environment,  how  many  communities  might  be 
on  the  same  bandwidth? 

A.  I  don't  know  the  answer  to  that  question. 

Q.  What  is  the  portfolio  security? 

A.  So  for  us  portfolio  security  is  back  to  the  systems  that  I 
had  mentioned;  DCGS-A  delivers  a  common  ground  station,  an 
intelligence  fusion  server,  multiple  pieces  of  the  portfolio.  And  so 
we  manage  security  as  a  portfolio.  Can  we  connect  to  the  network? 

Is  this  survivable  in  terms  of  vulnerabilities?  Are  we  resilient  to 
vulnerabilities?  And  so  as  the  program  manager,  you're  managing 


8587 


o 


o 


1  that  profile,  that  —  again  that  risk  profile  in  terms  of  security  in 

2  the  solutions  that  you're  building. 

3  Q.  Why  is  it  important? 

4  A.  So  —  for  us  —  for  a  program  manager  delivering  a  software 

5  solution  what's  really  important  is  that  those  Soldiers  have  the 

6  capacity  that  they  need.  So  in  order  to  do  that  they  have  to  be  able 

7  to  connect  to  the  networks  that  they  need.  So  for  us  it's  critical 

8  that  we  meet  the  requirements  of  the  networks  that  we  connect  to.  D- 

9  A  connects  to  six  different  networks  by  requirement.  So  along  with 

10  those  six  different  networks  comes  six  different  requirement  sets  for 

11  those  networks.  So  it's  critical  for  us  to  maintain  a  positive 

12  security  profile  —  and  I  say  positive  in  terms  of  meeting  those 

13  requirements  so  that  they  can  connect  to  the  network  and  get  to  the 

14  information  that  they  need  and  the  systems  can  remain  on  the  network. 

15  Q.  What  does  "cyber  hardening"? 

16  A.  "Cyber  hardening"  is  a  relatively  new  term  for  something 

17  that  we've  had  to  do  since  —  since  the  instantiation  of  DCGS-A, 

18  which  is  essentially  back  to  the  —  to  the  security  point  that  we  had 

19  mentioned  before.  We  have  to  harden  the  systems  in  order  to  meet  the 

20  requirements  of  the  network.  So  that  means  the  OS  has  to  be 

21  hardened,  has  to  —  has  to  go  through  the  security  checklists,  and  it 

22  has  to  be  replicated  across  5,000  laptops,  across  700  servers.  So 

23  it's  not  something  that,  you  know,  we  can  expect  every  client  user  to 


8588 


o 


a 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


go  through.  It  needs  to  be  out  of  the  box  that  way  every  time  so 
each  user  is  not  concerned  about  the  security  profile  of  their 
system.  That  comes  inherent  to  the  system  that  we're  providing. 

Q.  Let's  talk  about  Wget.  What  is  "Wget"? 

A.  So  "Wget"  is  —  I  have  a  cursory  knowledge  of  Wget.  Wget 
scrapes  web  sites  —  essentially  uses  FTP  and  pulls  down  that 
information  and  allows  you  to  export  it  to  multiple  formats. 

Q.  What  do  you  mean  when  you  say  it  scrapes  web  sites? 

A.  It  essentially  pulls  the  information  off  of  the  web  server. 
Q.  How  much  of  the  information? 

A.  I  think  you  can  determine  how  much  information  you  want. 

Q.  When  has  Wget  gone  through  the  authorization  process? 

A  Wget  --  to  my  knowledge  Wget  has  never  been  authorized  on  a 

DCGS-A  system. 

ATC [CPT  von  ELTEN] :  One  moment.  Your  Honor. 

[Pause] 

ATC  [CPT  von  ELTEN]:  Nothing  further. 

MJ:  Cross-examination? 

CROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Good  evening,  Mr.  Kitz. 

A.  Sir,  how  are  you? 


8589 


o 


9 


1  Q.  Well,  thank  you.  Mr.  Kitz,  you  spoke  on  direct  about  the 

2  process  through  which  a  program  will  get  vetted  to  become  part  of  the 

3  baseline? 

4  A.  Yes. 

5  Q.  And  you  mentioned  —  you  used  the  term  a  couple  times  "ACAT 

6  I".  What  does  that  mean? 

7  A.  So  it ' s  an  acquisition  category.  So  essentially  --  I  don't 

8  —  I  don't  actually  know  who  --  if  it's  Congress  or  Department  of 

9  Defense  who  sets  these  categories,  but  based  upon  the  funding 

10  threshold  for  the  —  for  your  program,  specifically  RDT&E,  the 

11  research  and  development  funding,  determines  how  big  your  program  is. 

12  And,  Number  I  is  the  biggest.  There  are  also  IIs  and  Ills  —  Ills 

13  being  relatively  small.  Off  the  top  of  my  head  I  don't  remember  the 

14  thresholds.  It's  different  if  you're  an  NDAP  a  major  development 

15  acquisition  program.  It's  different  —  we're  actually  called  a  Major 

16  Automated  Information  System;  a  MAIS,  which  means  that  you're  an  IT 

17  system  --  you're  buying  software  and  hardware  for  the  Department  of 

18  Defense. 

19  Q.  Okay,  and  so  being  an  ACAT  system  —  ACAT  I  system  means 

20  that  it's  one  of  the  biggest  programs  in  the  Army,  correct? 

21  A.  It  is. 

22  Q.  And  with  that  comes  a  lot  of  oversight? 

23  A.  Roger,  sir. 


8590 


o 


o 


1  Q.  Because  there's  a  lot  of  money? 

2  A.  Yes,  sir. 

3  Q.  Okay.  Now  you  talked  about  the  pro  —  or  the  process 

4  through  which  a  software  program  will  become  part  of  the  baseline  and 

5  it  starts  with  the  requirements  document,  correct? 

6  A.  Roger,  sir. 

7  Q.  Okay,  so  when  you  get  a  requirements  document  —  let's  use 

8  an  example,  you  might  get  a  requirements  document  that  says  we  need  a 

9  word  processor? 

10  A.  Yes,  sir. 

11  Q.  Okay,  so  now  we're  going  to  try  and  find  a  word  processor 

12  that  fits  our  needs,  right? 

13  A.  Correct. 

14  Q.  Okay,  so  the  first  thing  that  happens  then  are  you  come  up 

15  with  A  spec's  and  B  spec's? 

16  A.  Yes,  sir. 

17  Q.  What's  an  "A  spec'"? 

18  A.  It's  that  functional  decompensation  of  the  requirement.  So 

19  as  you  mentioned,  word  processor  —  so  the  CPD  would  say  I  need  a 

20  word  --  you  know,  the  Army,  the  DCGS-A  needs  to  have  a  word 

21  processor.  You  can't  build  a  system  based  upon  that,  right?  So  you 

22  need  things  so  —  to  give  to  a  developer  —  tasks  to  give  to  a 

23  developer  to  actually  build  a  word  processor.  So  what  are  the  tasks 


8591 


c 


Q 


1  or  those  measurable  things  —  like  I  mentioned,  languages,  back 

2  space,  support  for,  you  know,  external  development.  Those  types  of 

3  things  would  be  in  an  A  spec'  and  B  spec' .  So  when  a  tester  went 

4  through  it  and  said,  does  this  meet  the  requirement,  there's 

5  something  measurable  that  that  tester  can  say,  yes,  it  supports 

6  Chinese  language  —  all  characters,  so  on  and  so  forth. 

7  Q.  Okay.  So  we're  going  to  have  sort  of  a  big  picture 

8  requirement  of  we  need  a  word  processor  and  then  we're  going  to 

9  burrow  down  even  further  and  say  it  needs  to  be  able  to  do  English, 


10 

it  needs 

to  be  able  to  do  Arabic  - 

11 

A. 

Yes,  sir. 

12 

Q. 

-  and  needs  to  be  able  to  be  able 

to 

save,  and 

I 

need  to 

13 

bold,  or 

14 

A. 

Exactly  right. 

15 

Q. 

-  any  number  of  requirements? 

16 

A 

Exactly  right. 

17 

Q. 

Okay.  So  then  it's  going  to  go  into 

the  sort  of 

18 

development  phase.  It's  going  to  go  to  the  — 

I 

think  you  < 

called 

19 

them  integrated  product  teams? 

20 

A. 

Yes,  sir. 

21 

Q. 

And  those  teams;  what  are  they  going 

to 

do  with  it? 

22 

A. 

So  essentially  the  IPTs  create  these 

A 

spec's  and 

B 

spec' s, 

23 

so  they 

understand  their  task  and  charter  of  what 

they  have 

to 

i  build. 

8592 


o 


9 


1  And  then  they  will  begin  the  process  to  identify  a  material  solution 

2  that  will  meet  those  requirements.  So  a  word  processor  in  this 

3  example  —  all  of  those  requirements  would  get  to  one  team  and  that 

4  team  would  then  begin  the  process  of  identifying  a  solution,  whether 

5  —  that  may  be  a  solution  the  Army  already  has.  It  may  be  something 

6  that  we  need  to  contract  out  for  a  new  development.  Or  it  may  be 

7  needs  —  something  that's  commercially  readily  available  and  we  can 

8  go  to  industry  to  get  it. 

9  Q.  Okay,  so  the  IPTs  may  say  we've  got  Microsoft  Word,  we've 

10  got  Open  Office,  and  they're  going  to  look  at  all  of  those  things  and 

11  see  which  one  of  them  fits? 

12  A.  That's  right.  And  they  would  measure  against  the  cost 

13  schedule  and  performance  of  —  of  that.  So  the  best  performing  word 

14  processor  may  not  be  available  to  us  because  of  a  cost  prohibition, 

15  or  because  it  wouldn't  be  able  to  meet  the  schedule  for  all  the 

16  features  we  need. 

17  Q.  Okay,  and  then  those  IPTs  are  going  to  propose  solutions 

18  like  we're  —  they're  ultimately  going  to  say,  for  example,  let's  go, 

19  well,  Microsoft  Word? 


20 

A. 

Correct . 

21 

Q. 

That's  our 

recommendation? 

22 

A. 

Yes,  as  an 

ACAT  I  program  we  have  gates  that  we  have  to 

23  meet.  So  a  PDR;  preliminary  design  review  or  critical  design  review, 


8593 


0 


J 


1  and  at  those  gates  we  would  validate  the  design  or  their  proposed 

2  solution. 

3  Q.  Okay,  and  so  there  are  multiple  IPTs,  correct?  So  we're 

4  going  to  have  IPTs  that  are  looking  at  the  software  requirement  from 

5  a  number  of  different  angles,  correct? 

6  A.  Yes,  sir.  Yes. 

7  Q.  Okay,  so  then  after  we  have  --  each  of  those  IPTs  comes  up 

8  with  a  recommendation,  then  we're  going  to  another  phase  where 

9  someone  sits  down  and  looks  at  it  all  and  try  to  eliminate 

10  redundancies,  right? 

11  A.  No,  I  wouldn't  call  it  a  separate  phase. 

12  Q.  Okay. 

13  A.  So  —  there  is  a  systems  engineering  IPT  that  conducts  and 

14  orchestrates  this.  Again,  it's  quite  large  —  quite  a  large  program. 

15  So  you're  right,  there's  anywhere  between  12  and  16  IPTs  at  DCGS-A  at 

16  any  one  time  depending  upon  the  focus  of  how  we're  building  the 

17  software.  But  I  would  not  call  them  discrete  entities  in  the 

18  process.  There's  one  sort  of  systems  engineering  IPT  orchestrating 

19  these  sub-IPTs. 

20  Q.  Okay. 

21  A.  So  it's  a  constant  sort  of  rolling  feedback  in  terms  of 

22  redundancy,  in  terms  of  identifying  solutions  that  would  meet  more 

23  than  one  IPT's  requirement,  so  on  and  so  forth. 


8594 


© 


o 


1  Q.  Okay,  so  after  the  IPTs  it's  then  going  to  go  to  initial  — 

2  initial  design  review,  correct? 

3  A.  Yes,  sir. 

4  Q.  Okay,  and  an  initial  —  initial  design  review  there  are 

5  going  to  be  trade  studies  - 

6  A.  That's  correct. 

7  Q.  -  so  you're  going  to  have  industry  members  or  other 

8  groups  studying  the  market  and  they're  going  to  give  their  input? 


9 

A. 

No.  It  would  still  be  the  government 

that's  studying  the 

10 

market . 

But  that  would  be  the  point  with  which 

we  would 

engage  with 

11 

industry 

to  see  what's  available. 

12 

Q. 

So  there  you'd  reach  out  and  see 

13 

A. 

That's  right. 

14 

Q. 

-  see  what's  already  available  or 

see  how  much  it  costs 

15 

A. 

Right. 

16 

Q. 

-  to  create  something  new? 

17 

A. 

Right . 

18 

Q. 

And  out  of  that  you're  going  to  get  a 

proposed 

design. 

19 

correct? 

20 

A. 

Yes,  sir. 

21 

Q. 

Okay.  And  then  you're  going  to  have 

--  that's 

sort  of  the 

22 

first  stage  where  you're  going  to  have  go,  no  go  —  this 

is  what 

23 

we're  going  to  do  or  - 

8595 


© 


9 


1  A.  Typically  - 

2  Q.  - or  go  back? 

3  A.  -  in  my  experience  an  initial  design  review  ends  with  a 

4  lot  of  things  to  do. 

5  Q.  Okay. 

6  A.  So  —  so,  you  know,  you  didn't  quite  meet  the  mark  of  the 

7  design.  Here's  all  the  things  you've  got  to  do  before  your  final 

8  design  phase. 

9  Q.  Once  you  hit  that  gate  —  once  you  get  to  go  —  at  that 

10  phase,  then  you're  going  to  go  to  operational  testing,  correct? 

11  A.  We  go  through  a  development  phase  —  essentially  you've  got 

12  to  build  —  after  you  finish  designing  you've  got  to  finish  building 

13  it  and  then  you  go  to  a  test  phase. 

14  Q.  And  then,  again,  you're  going  to  have  to  get  a  no  —  no  go 

15  —  or  a  go/no  go  at  the  testing  phase? 

16  A.  Correct. 

17  Q.  And  then  once  all  of  that  stuff's  done  we're  going  to  have 

18  a  baseline  —  we're  going  to  have  a  software  program  that  is  — 

19  becomes  part  of  the  baseline  or  gets  approved  to  part  of  the 

20  baseline? 

21  A.  Defines  the  baseline,  yes. 

22  Q.  Okay.  And  that's  all  —  that's  a  lengthy  process? 

23  A.  Yes,  sir. 


8596 


© 


o 


1  Q.  And  it's  a  lengthy  process  because  this  is  a  big  program 

2  with  a  lot  of  oversight? 

3  A.  Sure. 

4  Q.  Now,  updates  to  DCGS-A,  the  software  baseline,  those 

5  typically  happen  on  a  18  to  24  month  cycle? 

6  A.  Yes,  sir.  To  the  baseline  itself,  yes. 

7  Q.  Okay.  So  it's  possible  for  a  user  —  a  unit  that  may  be 

8  deployed,  to  be  operating  on  a  system  that  is  old? 

9  A.  Absolutely.  Yes,  sir. 

10  Q.  So  it ' s  possible  for  —  if  a  unit  deploys  December  31st  and 

11  the  new  system  comes  out  on  January  1st,  they're  really  working  with 

12  a  system  that's  18  to  24  months  old  at  that  point? 

13  A.  I  think  you  would  find  not  the  case.  Once  a  new  software 

14  baseline  has  been  defined,  theater  usually  is  priority,  and  most 

15  units  in  theater  elect  to  upgrade  their  software  once  that  baseline 

16  is  available. 

17  Q.  Okay,  so  they  wouldn't  - 

18  A.  So  you're  right  in  that  18  to  24  months  there  is  an  older 

19  software  baseline,  but  once  there's  a  new  one  available,  you'll  find 

20  that  unit  —  my  experience  has  been  that  units  want  that  new 

21  software.  So  they  would  request  that  and  get  it. 

22  Q.  So  the  update  would  happen  in  the  field? 

23  A.  Yes,  sir. 


8597 


© 


Q 


1  Q.  Okay.  Now  there  are  other  ways  that  software  can  be  added 

2  in  the  field,  correct? 

3  A.  Yes,  sir. 

4  Q.  One  such  way  would  be  to  put  in  —  to  go  through  this  whole 

5  process;  that  would  be  one  way,  right? 

6  A.  Yes,  sir. 

7  Q.  And  another  way  would  be  to  ask  for  --  basically  ask  for  an 

8  update,  correct?  Or  ask  for  approval  to  put  something  on? 

9  A.  Yes,  sir.  You  can  —  so  once  a  baseline  has  been  defined, 

10  we  stand  up  a  process  called  our  Engineering  Change  Review  Board; 

11  ERB.  An  ERB  essentially  manages  that  baseline.  And  the  program 

12  manager  does  that  for  the  first  year  that  the  baseline  is  defined, 

13  and  then  we  transition  that  to  the  communications  electronics 

14  command;  also  located  at  Aberdeen  Proving  Ground,  that  manages  the 

15  sustainment  of  that  system.  So  they're  funded  to  ensure  that  the 

16  baseline  remains  current,  relevant,  and  they  manage  that  process  for 

17  the  engineering  review. 

18  Q.  Now,  it's  —  it's  possible  that  a  unit  may  want  to  add 

19  something  to  their  system  and  not  want  to  go  through  any  of  those 

20  processes,  correct? 

21  A.  Absolutely.  Yes,  sir. 

22  Q.  And  that  unit  may  decide  we're  just  going  to  do  it  and 

23  we're  not  going  to  check  with  anyone? 


8598 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


9 


A.  I  imagine  that  that's  possible.  However  the  unit  is  not 
authorized  to  change  the  baseline.  That's  —  that's  not  something 
that  —  there's  no  sort  of  process  for  that,  if  you  will. 

Q.  Sure.  The  unit  may  say,  I  don't  really  want  to  go  through 

this  long  testing  process.  I  don't  really,  I'm  —  you  know,  we're 
deployed,  we  don't  want  to  deal  with  these  hoops.  We  just  want  to 
get  the  mission  done;  we're  going  to  put  it  on  there. 

A.  Yes,  they  may  do  that.  I  —  I'm  not  certain  how  —  what 
the  process  would  be,  but  yes,  they  may  do  that. 

Q.  Okay,  you  spoke  about  Wget.  And  you  talked  about  Wget 
being  a  secure  FTP  program? 

A.  I'm  not  certain  that  it  uses  SFTP. 

Q.  Okay. 

A.  SFTP  is  a  different  protocol  from  FTP.  I  only  have  a 
cursory  knowledge  of  Wget  from  these  proceedings.  But,  yes,  I  did 
speak  of  it. 

Q.  Okay.  There  are  a  lot  of  programs  out  there  that  are  safe 

that  have  never  been  approved  as  part  of  the  baseline,  correct? 

A.  That's  true,  yes. 

Q.  And  that's  because  they've  never  been  tested? 

A.  Or  they  may  not  have  a  requirement  to  be  on  the  baseline. 

Q.  Okay.  Now,  there  is  a  secure  FTP  program  that's  part  of 

the  baseline,  isn't  it? 


8599 


o 


o 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


A.  Yes,  sir. 

Q.  And  that  is  a  program  called  "Safe  Move"? 

A.  Yes,  sir. 

Q.  And  that  program  essentially  has  the  same  capabilities  as 
Wget  in  that  it  can  be  used  to  go  out  and  download  entire  web  pages 
if  you  wanted  to? 

A.  Potentially.  It's  - 

MJ:  What  is  the  name  of  that  program? 

ADC [CPT  TOOMAN] :  Safe  Move. 

MJ:  Thank  you. 

A.  Save  Move  was  --  is  designed  to  essentially  pull  files.  So 
can  it  take  web  pages?  Yes,  it  would  have  to  access  the  web  server 
and  get  to  the  files  behind  it.  It’s  a  little  bit  of  a  different 
design,  but  absolutely.  It  is  a  FTP  to  move  files  and  it  is  loaded 
on  the  DCGS-A  system. 

Q.  Now,  you  spoke  about  connectivity  and  you  mentioned  that 
the  DCGS-A  system  is  a  system  that  doesn't  have  to  be  connected,  but 
in  reality  if  it's  not  connected  it's  not  —  it's  kind  of  worthless, 
right? 

A.  I  wouldn't  use  that  term  because  you  still  have  all  the 
commercial  tools  available  to  you  that  you  would  need  to  do  your  job. 
But  if  you're  not  connected,  you  know,  obviously  your  data  pool  is 
very  small  comparatively. 


8600 


o 


o 


1  Q.  You  need  the  connectivity  to  access  information  from 

2  various  databases? 

3  A.  Yes,  sir. 

4  Q.  And  that's  the  information  that  you're  going  to  use  to 

5  create  your  work  product? 

6  A.  Yes,  sir. 

7  Q.  Now,  Mr.  Kitz,  do  you  know  whether  or  not  Soldiers  today 

8  are  allowed  to  —  to  work  on  their  DCGS-A  machine?  And  by  "work  on 

9  it",  I  mean  modify  it  or  tinker  with  it? 

10  A.  They  are  not  authorized.  We  have  a  recent  program  to  allow 

11  Soldiers  to  —  that  are  authorized,  but  there's  a  very  small  number 

12  of  Soldiers  today  authorized  admin'  rights  —  what  I  would  —  would  I 

13  would  term  admin'  rights  to  the  system. 

14  Q.  Okay,  and  so  in  the  past  how  it  would  work  would  be  you 

15  would  have  a  deployed  unit  and  they  would  have  a  DCGS-A  contractor 

16  that  would  be  sort  of  embedded  with  the  unit? 

17  A.  Yes,  sir. 

18  Q.  And  that  individual  would  be  the  one  who  would  work  on  the 

19  machines? 

20  A.  Yes,  sir,  field  service  engineer.  Yes,  sir. 

21  Q.  And  now  today  we  have,  in  some  cases.  Soldiers  are  able  to 

22  do  those  same  functions? 

23  A.  Only  in  one  instance,  yes,  sir. 


8601 


c 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


Q.  Now,  when  a  unit  deploys  and  they  come  back  to  the  states, 
DCGS-A  —  the  DCGS-A  machines  get  scrubbed,  don't  they? 

A.  No,  I  don't  —  I'm  not  —  ask  your  question  again. 

Q.  Sure. 

A.  I  don't  believe  I  quite  understood  it. 

Q.  When  a  unit  —  sorry.  I'll  rephrase. 

A.  Yes. 

Q.  When  a  unit  redeploys  and  come  back  to  the  states,  what 
happens  to  the  DCGS-A  machines? 

A.  It's  totally  up  to  the  unit. 

Q.  Okay. 

A.  The  program  does  nothing  with  the  system.  There  is  a 
program  called  "reset",  where  they  blow  the  dust  out  of  it  —  pull  it 
out  and  make  sure  everything  works  and  everything  turns  on.  But  from 
the  program  perspective;  we  don't  touch  the  software  in  the  system. 
The  system  remains  the  way  it  was  when  the  unit  comes  back  with  it. 

Q.  And  when  a  unit  has  their  DCGS-A  machines  updated,  that 
would  be  something  that  is  done  by  a  DCGS-A  representative? 

A.  Yes,  sir. 

Q.  And  that  person  would  look  at  what's  on  the  DCGS-A  machine 
that  they're  updating,  correct? 

A.  No,  I  would  not  make  that  assumption  because  when  the 
program  goes  out  to  update  a  baseline,  they're  providing  a  new 


8602 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 


O 


O 


baseline  to  that  system.  So  essentially  they  are  actually  reloading 
the  entire  system  and  moving  the  data  over.  So  I'm  not  certain  that 
they  would  —  I  would  use  the  term  "scrub  the  old  system"  because  I 
don't  think  that  they  necessarily  are  concerned  about  the  specifics 
are  what  on  that  system,  they're  concerned  about  the  data  that  was 
there  and  updating  that  system.  And  in  a  lot  of  cases,  they'd  — 
they'd  —  they  would  get  a  new  physical  system  depending  upon  how  old 
the  hardware  was. 

Q.  What  would  —  if  they  got  a  new  system,  what  would  happen 
to  the  old  system? 

A.  Actually  the  PM  would  take  ownership  of  that  —  that  system 
and  —  and  they  would  have  disposition  instructions  associated  with 
it. 

Q.  Sir,  are  you  aware  of  whether  or  not  it's  common  for  DCGS-A 
systems  to  have  unauthorized  software  or  unauthorized  files  on  them? 

A.  I'm  not  in  a  position  where  I  have  direct  knowledge  to  that 

but  it  is  my  understanding  that  it  is  relatively  common,  yes,  sir. 

ADC [CPT  TOOMAN] :  Okay.  Nothing  further.  Thank  you,  Mr.  Kitz. 

[END  OF  PAGE] 


8603 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


O 


REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

Q.  Mr.  Kitz,  who  uses  Safe  Move? 

A.  Relatively  —  the  only  people  who  use  Safe  Move  is  the 
field  service  engineer.  They're  the  only  people  that  have  access  to 
that  application. 

Q.  What  side  does  Save  Move  operate  on? 

A  It's  entirely  server  side  operation.  So  there's  no  Safe 
Move  loaded  on  a  client. 

Q.  What  side  is  a  user  on? 

A.  Just  the  client  side. 

Q.  When  is  a  user  on  the  network  side  or  system  side? 

A.  The  user  does  not  have  access  to  the  system  as  a  —  as  a 

client  user.  Only  an  admin'  right  would  have  access  to  the  operations 
on  the  server. 

Q.  What  side  is  Wget  operate  on? 

A.  You  can  run  it  either  on  the  server  or  the  client. 

Q.  What  side  does  Wget  operate  on  if  it's  used  from  an  analyst 

laptop? 

A.  It  would  be  a  client. 

ATC [CPT  von  ELTEN]:  Thank  you. 

MJ:  I  just  have  a  couple  of  questions  for  you. 


8604 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


J 


EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  Military  Judge: 

Q.  Is  mIRC  chat  on  the  list  of  authorized  programs? 

A.  It  is  not  on  the  list  of  authorized  programs,  ma'am.  It  — 

there  was  a  technical  bulletin  released  to  our  field  service 
engineers  that  outlined  how  to  load  it  if  a  commander  chose  to  load 
it.  But  it  is  not  on  the  official  baseline  and  that  letter  that  went 
out  the  engineers  essentially  showing  them  how  because  we  understood 
that  a  lot  of  commanders  wanted  that  —  wanted  mIRC  chat.  So 
essentially  that  letter  outlined  that  it  is  not  part  of  the  baseline 
and  any  cost  associated  with  mIRC,  because  it  is  a  licensed  product 

as  well,  was  the  commander's  risk  and  the  commander  of  that  unit  had 

to  procure  it. 

Q.  So  let  me  —  let's  go  back  to  the  commander's  authority 
again.  So  if  a  commander  is  out  in  the  field  and  wants  to  install 
mIRC  chat,  for  example,  do  they  have  to  —  you  said  you  sent  a  letter 
because  you  have  systems  engineers  that  accompany  the  units  that  help 
them  with  their  DCGS 

A.  Yes. 

Q.  —  -A  computers.  So  does  the  commander  have  to  use  that 
DCGS-A  engineer  to  load  the  program? 

A.  Yes,  ma'am.  The  engineer  is  the  only  person  that  has  the 
admin'  rights  to  the  system.  And  when  I  said  "letter"  I  should 


8605 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


J 


qualify  that.  We  have  a  process,  it's  actually  called  a  technical 
bulletin.  So  as  —  let's  say  a  security  update  comes  out  for  Oracle 
and  Oracle  is  on  the  system,  we  release  a  technical  bulletin.  Here, 
field  service  engineer,  this  is  how  you  would  apply  this  security 
patch  to  Oracle.  So  we  release  —  we  didn't  release  a  letter,  we 
released  a  the  technical  bulletin  saying  that  we  understand  that 
commanders  have  been  requesting  this,  it  is  not  authorized,  we, 
program  manager,  are  not  authorized  to  allow  you  to  have  it,  however 
we  understand  that  the  commander  wants  to  take  the  risk.  If  the 
commander  sends  us  a  letter  then  we  will  allow  that  to  —  to  be 
loaded  on  the  system. 

Q.  So  on  a  DCGS-A  computer,  if  an  individual  user  wanted  to 

load  mIRC  chat  or  Wget  or  any  other  type  of  program,  and  they  tried 
to  do  it,  would  the  computer  itself  stop  the  user  from  doing  it  with 
the  little  box  that  says  you  don't  have  admin  rights? 

A.  Yes,  ma'am. 

Q.  Would  the  same  be  true  if  the  program  was  on  a  shared 
drive? 

A.  Yes,  ma'am.  Once  it  accessed  essentially  the  registry,  it 
should  kick  and  say,  you  require  a  password  to  load  any  —  any  syst 
-  any  software  on  the  system. 


8606 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


J 


Q.  So  if  the  software  program  is  on  a  shared  drive  and  the 
user  reaches  out  on  the  shared  drive  and  takes  it  back  on  the  local 
drive  that  message  should  come  up? 

A.  Yes,  ma'am  —  once  they  tried  to  install  it. 

Q.  Could  they  put  a  shortcut  from  the  shared  drive  on  their 
system? 

A.  I  don't  believe  so,  no.  The  software  has  to  run  from 
somewhere. 

Q.  How  about  music,  games,  and  that  kind  of  thing,  can  those 
be  uploaded  from  a  user  to  a  DCGS-A  computer? 

A.  Yes,  ma'am. 

Q.  What's  the  difference  between  that  and,  say,  Wget? 

A.  So  --  there's  a  music  player  already  on  the  system  or  -- 

It  really  just  uses  the  file  system.  An  example  with  Wget  can  be  you 
can  download  Wget  or  you  can  —  you  can  put  Wget  on  the  system  --  the 
file  itself  — once  you  try  to  run  it,  you  would  be  required  admin' 
rights . 

MJ:  Any  follow-up  questions  based  on  mine? 

ATC [CPT  von  ELTEN] :  No,  ma’am. 

ADC [CPT  TOOMAN] :  Just  a  couple,  ma'am. 

[END  OF  PAGE] 


8607 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


J 


RECROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Mr.  Kitz,  just  a  couple  of  questions  for  you.  You 
mentioned  a  memoranda  that  you  sent  out  to  commanders  because  you 
understood  that  they  wanted  to  use  mIRC  chat,  did  that  memorandum  or 
guidance  identify  a  particular  version  of  mIRC  chat? 

A.  Sir,  let  me  qualify  your  question  a  little  bit.  It  wasn't 
sent  to  commanders,  it  was  sent  to  the  field  service  engineers 

Q.  Okay. 

A.  -  essentially  giving  them  guidance  on  —  if  the 

commander  asks  you  to  install  this,  this  is  what's  required  of  the 
commander  and  this  is  how  you  would  do  it .  I  do  not  know  offhand, 
no. 

Q.  Okay. 

MJ:  Before  you  continue,  let  me  just  ask  one  more  question 

because  it  may  inform  your  questions. 

WIT:  Yes,  ma'am. 

EXAMINATION  BY  THE  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  When  was  that  technical  bulletin  issued? 

A.  I  believe  it  is  in  2008,  ma'am. 

MJ:  Thank  you. 


8608 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


J 


RECROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  And  a  commander  had  to  approve  the  addition  of  the  mIRC 

chat? 

A.  Yes,  the  commander  specifically  had  to  accept  the  risk. 

Q.  Mr.  Kitz,  would  it  be  possible  to  add  mIRC  chat  onto  the 
desktop  as  an  executable  file? 

A.  Without  admin'  rights? 

Q.  Yes. 

A.  I  don't  believe  so. 

Q.  What  about  Wget? 

A.  I  don't  believe  so. 

ADC [CPT  TOOMAN]:  Thank  you,  Mr.  Kitz. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

Q.  Mr.  Kitz,  how  do  you  install  Wget? 

A.  I've  actually  never  installed  it  on  my  machine  so  I  would 
not  be  able  to  necessarily  answer  that  question. 

Q.  How  do  you  install  mIRC  chat? 

A.  mIRC  chat  you  would  have  to  download  and  it  probably  has  an 
MSI  file  that  allows  —  that  has  automated,  you  know,  installation 


8609 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


instructions  and  you  click  through  next  like  you  would  most  —  most 
applications . 

Q.  How  sure  are  you  about  mIRC  chat? 

A.  How  sure  am  I  with  regard  to  what? 

Q.  About  its  installation? 

A.  How  sure  am  I  about  what  about  its  installation?  About  - 

Q.  The  process  you  described. 

MJ:  I  thought  he  just  said  he  didn't  know  how  to  install  it. 

Did  I  misunderstood  your  testimony? 

A.  No 

MJ:  Oh,  are  you  talking  about  mIRC  chat  - 

A.  -  he  asked  me  Wget  chat. 

Q.  mIRC  chat. 

MJ:  - or  Wget.  Okay. 

A.  And  mIRC  chat  I  have  installed  before.  So  I'm  relatively 
confident  that  mIRC  chat,  you  know,  requires  some  sort  of  interaction 
with  the  user  to  install  it. 

Q.  When  you  said  MSCI? 

A.  MSI. 

Q.  And  what  is  an  MSI? 

A.  An  MSI  is  essentially  a  wrapper  around  an  application  that 
automates  installation.  So  whenever  you  download  a  file  on  the 


8610 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


J 


internet  and  you  load  —  you  know,  you  bring  up  —  I  want  to  double¬ 
click  and  install  it,  it  brings  up  a,  you  know,  who  are  you,  and  then 
next  here's  the  service  agreement  between  me  and  the  user,  next  is 
what  are  the  configurations,  you  know  —  I  need  an  IP  address  for  the 
chat  server  that  mIRC  will  connect  to.  Then  you  click  next.  Are  you 
sure  you  want  to  install  this?  Yes.  And  the  MSI  file's  essentially 
the  wrapper  that  allows  the  interface  with  the  user  to  configure  and 
install  the  —  the  application. 

ATCfCPT  von  ELTEN] :  Thank  you. 

MJ:  All  right,  temporary  or  permanent  excusal? 

ATC [CPT  von  ELTEN]:  Temporary,  ma'am. 

[The  witness  was  temporarily  excuse,  duly  warned,  and  withdrew  from 
the  courtroom . ] 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  offers  to  read  a 
stipulation  of  expected  testimony  on  the  record. 

MJ:  Proceed. 

TC [MAJ  FEIN]:  This  is  Prosecution  Exhibit  107,  a  Stipulation  of 
Expected  Testimony  of  Ms.  Florinda  White,  dated  June  10  June  2013. 

It  is  hereby  agreed  by  the  Accused,  Defense  Counsel,  and 
Trial  Counsel,  that  if  Ms.  Florinda  White  were  present  to  testify 
during  the  merits  and  pre-sentencing  phases  of  this  court-martial, 
she  would  testify  substantially  as  follows: 


8611 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


O 


I  am  the  Configuration  Management  Lead  for  the  Distributed 
Common  Ground  System  Army  (DCGS-A)  program.  I  graduated  with  a 
degree  in  computer  science  in  1991.  Thereafter,  I  completed 
additional  courses  in  computer  science.  I  have  experience  with  Linux 
and  Windows.  Additionally,  I  have  experience  as  a  programmer,  system 
administrator,  network  administrator,  and  system  engineer.  I 
specialize  in  computer  management,  which  is  a  subspecialty  of  systems 
engineering.  From  2005-2010,  I  worked  as  a  contractor  on  the  DCGS-A 
program  for  which  I  currently  work.  As  a  contractor,  I  worked  as  an 
analyst  and  in  configuration  management. 

Currently,  I  work  for  Communications-Electronics ,  Research, 
Development  and  Engineering  Center  (CERDEC)  Software  Engineering 
Directorate  (SED)  at  Aberdeen  Proving  Grounds,  Maryland.  CERDEC  is 
the  United  States  Army  Information  and  Technologies  and  Integrated 
Systems  Center.  SED  provides  software  acquisition  and  software 
engineering  support  to  Army  tactical  systems,  to  include  creation  of 
concept,  concept  development,  demonstration  of  concept,  production 
and  development,  and  operations  and  maintenance,  thereby  developing 
and  supporting  software  systems  throughout  their  lifecycle.  SED  also 
provides  information  assurance  and  determines  the  requirements  and 
necessary  tools  to  complete  tasks.  Software  products  developed  by 
SED  support  Army  war  fighting  efforts.  DCGS-A  is  a  component  of  SED. 


8612 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


o 


DCGS-A  is  the  Army's  primary  system  to  post  data,  process 
information,  and  disseminate  intelligence,  surveillance,  and 
reconnaissance  information  about  terrain,  threats,  weather,  and  other 
information  related  to  Servicemembers  —  excuse  me.  Your  Honor, 
relevant  to  Servicemembers.  DCGS-A  is  the  approved  system  used  by 
intelligence  analysts  (35Fox  Military  Occupational  Specialty) .  DCGS- 
A  provides  commanders  the  ability  to  receive  intelligence  from 
multiple  sources  and  intelligence  systems.  Moreover,  DCGSA  ensures 
each  piece  of  approved  hardware  and  software  is  secure,  stable,  and 
compatible  with  existing  systems. 

As  the  Configuration  Management  Lead,  I  ensure  software  and 
hardware  for  each  system  meets  approved  specifications  and  follows 
approved  builds.  The  approved  builds  are  also  known  as  baselines. 
Each  baseline  consists  of  approved  software  and  hardware.  The 
software  is  specifically  listed  by  program  and  version  number. 
Hardware  is  specifically  approved  by  type  and  manufacturer.  A 
specific  baseline  is  described  in  a  Version  Description  Document 
(VDD) .  The  VDD  states  each  authorized  component  of  a  baseline.  Any 
software  or  hardware  not  listed  in  the  VDD  is  not  authorized  and  is 
not  part  of  the  baseline. 

The  baseline  is  developed  through  a  deliberate  process. 

The  Program  Manager  (PM)  of  each  system  approves  each  respective 
baseline  that  falls  within  the  PM's  system.  The  baseline  is  tested 


8613 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


J 


for  stability.  Stability  means  that  the  system  itself  is  stable  and 
that  the  system  is  stable  when  interacting  with  other  approved 
systems.  Stability  is  important  because  the  computer  system 
completes  important  tasks  for  Servicemembers  and  the  system  must  work 
at  all  times,  especially  in  a  deployed  environment.  The  baseline  is 
also  tested  for  security.  Security  means  the  system  is  secure  by 
itself  and  when  it  interacts  with  other  approved  systems.  Security 
is  important  because  some  of  the  computer  systems  contain  classified 
information.  The  information  is  used  by  Servicemembers  to  complete 
their  missions,  and  the  systems  maintain  security  so  only  authorized 
users  can  access  the  information.  Ensuring  stability  and  security 
requires  extensive  testing.  Each  new  baseline  is  accredited,  and  any 
changes  to  the  baseline  must  be  certified  after  undergoing  the 
vetting  process. 

Any  change  to  the  baseline  requires  new  testing  of  the  new 
baseline  because  a  single  change  can  affect  a  system's  security  or 
its  stability.  The  process  to  make  changes  to  the  baseline  begins 
when  a  user  submits  a  request  identifying  requested  capabilities. 
After  a  request  has  been  submitted,  the  request  goes  before  the 
Engineer  Review  Board  (ERB) .  The  ERB  is  comprised  of  subject  matter 
experts,  engineers,  and  testers.  The  ERB  analyzes  and  assesses  the 
requested  changes  for  effectiveness  and  costs.  The  ERB  also  assesses 
any  effect  the  requested  change  could  have  on  the  network.  The  ERB 


8614 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


provides  a  recommendation  based  on  its  conclusions  and  testing  to  the 
Configuration  Control  Board  (CCB) .  The  CCB  is  comprised  of 
configuration  subject  matter  experts,  engineers,  and  the  relevant  PM. 
The  CCB  then  makes  a  final  determination  based  on  the  effectiveness 
and  cost.  Changes  to  the  baseline  can  be  approved  in  3  days  up  and 
to  1  year  depending  on  the  complexity  of  the  system  and  the  nature  of 
the  requested  change.  The  process  has  been  designed  to  maintain 
system  security  and  stability. 

After  a  baseline  has  been  approved,  a  computer  image  is 
created.  This  computer  image  is  installed  onto  approved  systems.  An 
image  is  used  to  ensure  that  each  system  receives  exactly  the  same 
software.  Using  the  same  image  ensures  that  the  DCGS-A  program  only 
tests  one  image  instead  of  testing  each  system.  This  increases  the 
likelihood  the  software  will  comport  with  the  approved  baseline. 

Prosecution  Exhibit  9  is  the  VDD.  PE  9  describes  the 
baseline  for  a  Basic  Analyst  Laptop  (BAL) .  I  am  familiar  with  the 
VDD  in  PE  9  and  other  VDDs  because  I  work  with  them  daily  in  my 
position  as  the  Configuration  Management  Lead.  As  the  Configuration 
Management  Lead,  I  inspect  images  to  ensure  the  image  meets  the 
standards  set  forth  in  the  baseline.  I  check  each  program 
individually  to  ensure  it  is  the  correct  program  and  specifically  the 
correct  version  of  the  program.  Any  software  not  approved  in  the 
baseline,  as  reflected  in  the  VDD,  is  not  authorized.  Specifically, 


8615 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


J 


even  if  a  software  program  is  authorized,  the  program  cannot  be  added 
to  the  image  unless  it  is  an  approved  version  from  approved  source. 
That  is,  the  approved  version  of  the  program  must  be  obtained  from  an 
authorized  source.  Programs  obtained  from  the  unauthorized  sources, 
such  as  the  Internet,  could  obtain  viruses,  Trojan  horses,  or  other 
malware  that  would  jeopardize  both  system  security  and  stability. 

Wget  get  is  a  computer  program  that  retrieves  content  from 
web  servers,  and  is  part  of  the  GNU  Project.  Wget  supports 
downloading  via  HTTP,  HTTPS,  and  FTP  protocols,  which  are  common 
protocols  used  on  the  internet  for  webpages.  Wget  is  a  free  network 
utility  commonly  used  to  retrieve  files  from  the  internet.  It  has 
been  designed  for  robustness  over  slow  or  unstable  network 
connections.  If  a  download  does  not  complete  due  to  a  network 
problem,  Wget  will  automatically  try  to  download  —  excuse  me,  Your 
Honor,  automatically  continues  the  download  from  where  it  left  off, 
and  repeat  this  until  the  whole  file  has  been  retrieved.  Wget  is 
non-interactive  in  the  sense  that  once  started,  it  does  not  require 
user  interaction.  To  my  knowledge,  Wget  has  never  been  authorized  as 
part  of  any  DCGS-A  baseline,  nor  has  it  been  requested  for  approved 
use.  As  such,  Wget  has  never  been  reviewed  by  our  program  and  I 
cannot  say  whether  it  would  be  approved  for  use  or  not.  The  VDDs 
create  —  created  for  Version  3.0P17,  Version  3.0P18,  and  Version 


8616 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


G 


O 


3.1P3  each  did  not  authorize  Wget  on  a  DCGS-A  computer  or  for  it  to 
be  used  by  a  DCGS-A  user. 

ATC [CPT  WHYTE]:  Ma'am,  the  United  States  calls  Captain 

Thomas  Cherepko. 

CDC [MR.  COOMBS]:  Ma'am,  before  we  hear  from  the  witness  if  we 

could  a  10-minute  break? 

MJ:  All  right.  Any  objection? 

TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  Court  is  in  recess  until  10  minutes  after  1600  or  4 

o'  clock. 

[The  court-martial  recessed  at  1603,  12  June  2013.] 

[The  court-martial  was  called  to  order  at  1618,  12  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  Court  last  recessed  are  again  present  in 
court.  Before  we  proceed,  I  have  been  advised  that  we  now  have  a  new 
piece  of  equipment  in  the  courtroom.  Is  that  correct? 

TC [MAJ  FEIN]:  Well,  ma'am,  it's  been  moved  since  then  during 
recess,  but,  yes. 

MJ:  Why  don't  we  just  go  ahead  and  put  it  on  the  witness  stand 

and  have  someone  just  sit  in  the  witness  chair  to  see  if  there  are 
any  issues. 

MR.  PRATHER:  I  think  we  briefly  went  through  that  before  you 
came  out . 


8617 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


TC [MAJ  FEIN]:  Ma'am,  I'm  placing  a  three-sided  essentially  box 
—  block  on  the  witness  stand. 

MJ:  Let  the  record  reflect  that  the  court  security  officer,  Mr. 

Prather,  is  in  the  witness  chair 
MR.  PRATHER:  Test. 

MJ:  —  and  we  are  testing  the  —  it  is  a  black  covering  that 
goes  above  the  —  where  the  witness  chair  ends  basically  up  to  the 
witness'  —  a  little  lower  than  the  witness'  neck,  and  that  is  to 
ensure  that  classified  information  is  protected. 

MR.  PRATHER:  Test.  Test.  Yeah,  can't  see. 

MJ:  All  right.  We  have  the  camera  on.  It  appears  that  the 

classified  information  is  protected.  Defense  --  sit  back  down  for 
just  a  moment.  Defense,  any  issues  with  the  ability  to  observe  the 
witness? 

CDC [MR .  COOMBS]:  No,  Your  Honor. 

MJ:  All  right.  Any  other  issues  with  respect  to  this  new  piece 

of  equipment? 

CDC [MR .  COOMBS]:  No,  Your  Honor. 

TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  All  right.  We  can  go  ahead  and  move  it  back  then.  Thank 

you. 

[The  equipment  was  removed  from  the  witness  stand.] 

MJ:  Are  you  ready  to  call  your  next  witness? 


8618 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


o 


ATC [CPT  WHYTE]:  Yes,  ma'am.  The  United  States  calls  Captain 
Thomas  Cherepko. 

CAPTAIN  THOMAS  CHEREPKO,  U.S.  Army,  was  called  as  a  witness  for  the 
prosecution,  was  sworn,  and  testified  as  follows: 

DIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  WHYTE] : 

Q.  You  are  Captain  Tom  Cherepko  from  Pittsburgh,  Pennsylvania 
A.  Yes,  sir. 

Q.  Captain  Cherepko,  what  is  your  current  position? 

A.  I  am  the  CIS  Plans  and  Operation  Officer  for  NATO  Force 
Command,  Madrid. 

Q.  What  is  CIS? 

A.  Communications  and  Information  Systems. 

Q.  And  what  are  your  responsibilities  in  this  position? 

A.  I  do  planning  for  training  exercises  and  real  world 
operations . 

Q.  Captain  Cherepko,  what  is  your  branch? 

A.  I  am  a  functional  area  53  basic  branch  engineer. 

Q.  And  what  training  did  you  receive  to  become  a  53  Alpha? 

A.  I  went  through  the  53  Alpha  course  also  known  as  the 
Information  System  Manager  Course. 

Q.  And  where  was  this  course? 

A.  Fort  Gordon,  Georgia. 


8619 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


J 


Q.  And  how  long  was  it? 

A.  Approximately  9  months. 

Q.  Can  you  please  describe  to  the  court  what  this  training 
consisted  of? 

A.  Yes,  sir.  The  course  is  broken  down  into  three  basic 
phases.  The  first  phase  is  networking.  The  second  phase  is 
enterprise  systems  with  the  Microsoft  Academy.  And  then  the  third 
phase  is  security  and  other  related  topics. 

Q.  And  what  certificates  did  you  receive  during  this  time? 

A.  I  received  a  CISSP,  the  Certified  Information  Systems 
Security  Professional,  security  plus,  and  the  Windows  Vista 
certification . 

Q.  And  what  was  your  first  assignment  out  of  this  course? 

A.  2nd  Brigade,  10th  Mountain. 

Q.  When  did  you  arrive  at  Fort  Drum? 

A.  October  1st,  2009  . 

Q.  And  what  happened  when  you  arrived? 

A.  When  I  arrived  —  after  I'd  in-processed,  the  brigade  was 
in  the  process  of  deploying.  And  within  a  few  weeks  of  my  arrival  I 
deployed  with  the  brigade. 

Q.  Where  did  you  deploy  to? 

A.  To  FOB  Hammer,  Iraq. 

Q.  When  did  you  arrive  at  FOB  Hammer? 


8620 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


A.  Middle  of  November;  sometime  after  the  relief-in-place  with 
the  82nd  Airborne. 

Q.  Did  PFC  Manning  deploy  to  FOB  Hammer  as  well? 

A.  Yes,  sir. 

Q.  And  what  section  were  a  signed  to  at  FOB  Hammer? 

A.  The  S-6  section;  the  communication  section. 

Q.  What  was  your  position  at  FOB  Hammer? 

A.  I  was  the  Brigade  Automations  Officer. 

Q.  And  what  were  your  responsibilities  in  that  position? 

A.  My  responsibilities  were  the  maintenance  and  management  of 
the  brigade's  network.  In  the  absence  of  the  brigade  signal  officer, 
act  as  the  brigade  signal  officer  and  the  information  assurance 
manager. 

Q.  You  said  you  were  responsible  for  the  maintenance  of  the 
network? 


A.  Yes,  sir. 

Q.  What  classified  networks  were  available  at  FOB  Hammer? 

A.  We  had  SIPRNET . 

Q.  What  was  required  for  someone  to  get  access  to  SIPRNET? 

A.  In  order  to  get  access  for  SIPRNET  they  needed  to  have  a 

forms  that  were  filled  out  that  were  signed  by  their  first  line 
supervisors  stating  that  they  had  a  need  to  have  —  to  have  access  to 
the  network.  The  S-2  section  was  sign  verifying  their  security 


8621 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


O 


clearance.  And  then  they  would  take  the  form  to  the  helpdesk  where 
the  account  was  created  --  assuming  that  their  IA  training  was 
complete . 

Q.  So  this  was  for  them  in  order  to  get  an  account  - 

A.  Yes,  sir. 

Q.  -  is  the  correct?  So  what  type  of  documents  did  they 

have  to  fill  out  in  order  to  get  - 

A.  They  had  to  fill  out  the  account  request  form  and  an 
acceptable  use  policy. 

Q.  And  what  type  of  training  did  they  need  to  receive  in  order 
to  get  a  SIPRNET  account? 

A.  They  needed  to  have  the  annual  information  assurance 
training  complete. 

Q.  Was  there  exception  to  the  IA  training  requirement? 

A.  No. 

Q.  Was  there  exception  to  the  AUP  policy? 

A.  No,  sir. 

Q.  What  is  an  AUP? 

A.  An  Acceptable  Use  policy?  It  is  a  document  that  states 
what  you  are  and  are  not  permitted  to  do  on  the  network  that  you  are 
signing  for. 

Q.  And  what  regulations  are  covered  under  an  AUP? 

A.  AR  25-2  and  a  few  others  are  referenced. 


8622 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


J 


Q.  Did  PFC  Manning  have  a  SIPRNET  account? 

A.  Yes,  sir. 

Q.  And  how  do  you  know  that? 

A.  Because  on  the  night  he  was  detained,  I  deactivated  his 
SIPR  account. 

Q.  And  did  PFC  Manning  need  to  sign  an  AUP  to  get  a  SIPRNET 
account? 

A.  Yes,  sir,  everyone  was  required  to. 

Q.  So  let's  talk  about  the  AUP.  How  many  AUPs  have  you  signed 
in  the  course  of  your  career? 

A.  Approaching  50,  sir. 

Q.  When  you  arrived  at  Fort  Drum,  did  you  have  to  sign  an  AUP? 
A.  I  did,  sir. 

Q.  When  you  arrived  at  FOB  Hammer,  did  you  have  to  sign  an 

AUP? 

A.  Yes,  sir. 

Q.  Did  all  Soldiers  upon  arrival  at  FOB  Hammer  have  to  sign  an 

AUP? 

A.  All  Soldiers  who  were  given  accounts  had  to  sign  an  AUP, 
yes,  sir. 

Q.  And  you  said  PFC  Manning  had  an  account? 

A.  Yes,  sir. 


8623 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


o 


Q.  During  the  course  of  this  investigation  did  you  locate  PFC 
Manning's  AUP? 

A.  I  did  not,  sir. 

Q.  And  was  this  the  only  AUP  that  you  could  not  find? 

A.  No,  sir.  We  were  unable  to  find  mine  as  well. 

Q.  Are  you  familiar  with  the  contents  of  an  AUP? 

A.  I  am,  yes,  sir. 

Q.  And  what  guidance  is  available  for  what  should  be  included 
in  an  AUP? 

A.  AR  25-2  has  a  sample  AUP  that  we  would  use  to  create  an 

AUP. 

Q.  Are  you  familiar  with  this  sample? 

A.  I  am.  Yes,  sir. 

Q.  How  so? 

A.  Upon  redeployment  I  used  the  sample  AUP  to  draft  the  new 
AUP  for  the  brigade  with  some  other  AUPs  as  guidelines. 

Q.  So  when  you  deployed  back  —  or  redeployed  back? 

A.  When  I  redeployed  from  —  from  Iraq. 

Q.  When  you  arrived  at  FOB  Hammer  did  you  read  the  AUP? 

A.  I  did,  sir. 

Q.  Can  you  explain  how  the  --  how  the  sample  AUP  in  the  AR  25- 
2  compares  to  the  actual  AUP  that  you  signed  at  FOB  Hammer? 


8624 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


C 


9 


A.  They're  similar,  sir.  They  may  not  look  the  same,  but  the 
content  is  similar. 

Q.  So  it's  your  memory  was  the  AUP  that  you  signed  at  Hammer 
verbatim  to  the  sample  AUP  in  AR  25-2? 

A.  Most  likely  not,  no,  sir. 

Q.  Was  the  content  of  the  sample  AUP  substantially  similar  to 
the  content? 

A.  It  would  be  similar,  yes,  sir. 

Q.  Would  you  be  able  to  identify  this  sample  AUP? 

A.  I  would,  sir. 

Q.  How  would  you  be  able  to  identify  it  today? 

A.  The  sample  AUP  has  generic  terms  throughout  it  that  you  are 
meant  to  replace  when  you  create  your  own  using  it  as  a  boilerplate 
template.  For  example,  one  of  them  would  be  —  it  doesn't  have  the 
name  of  the  network  but  it  has  classified  network  name  and  then  the 
acronym  is  CNN  —  and  I  just  found  at  amusing  that  CNN  is  a 
classified  network  that  —  whatever  —  so,  yes,  stands  out  in  my 
mind. 

Q.  What  other  —  what  other  characteristics  about  the 
document? 

A.  It  says  that  it ' s  a  sample  AUP,  and  it  has  several 
regulations  —  rules  from  AR  25-2  listed  in  it. 


8625 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


9 


ATC [CPT  WHYTE]:  Let  the  record  reflect  I'm  retrieving 
Prosecution  Exhibit  94  [retrieving  the  document  from  the  court 
reporter] ? 

WIT:  It  also  starts  on  Page  61  ,  if  that  matters. 

CDC [MR.  COOMBS]:  Your  Honor,  the  defense  objects  to  use  of 

Prosecution  Exhibit  94  for  Identification.  And,  if  I  could,  I 
believe  trial  counsel  brought  out  most  of  the  foundation,  but  if  I 
could  voir  dire  in  aid  of  my  objection  —  it  would  be  a  the  matter  of 
two  or  three  questions  to  show  - 

MJ:  Go  ahead. 

CDC [MR.  COOMBS]:  -  that  this  is  not  relevant. 

MJ:  All  right. 

DEFENSE  INDIVIDUAL  VOIR  DIRE  OF  CAPTAIN  THOMAS  CHEREPKO : 
Questions  by  the  civilian  defense  counsel  [MR.  COOMBS] : 

Q.  Captain  Cherepko,  you  indicated  that  everyone  signed  an  AUP 
before  they  were  given  SIPRNET  access  in  Iraq,  correct? 

A.  Yes,  sir. 

Q.  Was  this  the  AUP  everyone  signed  [referring  to  Prosecution 
Exhibit  94  for  Identification]? 

A.  That  is  a  sample,  sir.  That  is  used  as  a  baseline  to  build 
the  actual  AUP. 

Q.  So  the  answer  would  be,  no,  this  is  not  the  AUP  that 
everyone  signed? 


8626 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


o 


A.  No,  sir,  this  is  not  an  actual  AUP.  It's  only  a  sample 
that's  used  to  create  the  actual  AUP. 

Q.  And  there  is  an  actual  AUP  that  had  terms  that  governed  how 
an  individual  could  use  the  SIPRNET? 

A.  Yes,  sir. 

Q.  And  everyone  signed  that? 

A.  Yes,  sir. 

Q.  You  said  you  couldn't  locate  PFC  Manning's  and  you  couldn't 
locate  yours? 

A.  Correct,  sir. 

Q.  But  you  could  locate  other  people's? 

A.  Yes,  sir. 

CDC [MR .  COOMBS]:  So  we  would  object  to  the  use  of  this  sample 

AUP  because  this  was  not  what  was  signed.  The  government  should  be 
able  to  produce  an  AUP  that  was  signed  by  the  Soldiers  from  2/10 
Mountain  in  order  to  get  on  the  SIPRNET. 

MJ:  All  right.  Captain  Whyte,  is  there  the  actual  AUP  that  was 

signed? 

ATC  [CPT  WHYTE]:  It  couldn't  be  found,  ma'am.  But  this  sample 
AUP,  as  Captain  Cherepko  testified,  contained  substantially  all  the 
content  from  that  AUP  from  his  memory. 

MJ:  So  this  is  almost  sort  of  a  best  evidence  objection. 


8627 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


CDC [MR.  COOMBS]:  Yes,  Your  Honor,  and  especially  when  you 

have  three  specifications  that  rise  and  fall  on  the  AUP.  So  you've 
got  Specifications  2  and  3  of  Charge  III,  and  then  —  and  each  of 
those  obviously  are  AR  22 [sic]  violations,  and  then  you've  got  a  10 
year  offense.  Specification  11  of  —  excuse  me.  Specification  13  of 
Charge  II,  which  is  a  10  year  offense.  And  if  the  government  is 
going  to  premise  criminal  liability  based  upon  an  AUP,  they  ought  to 
be  able  to  produce  the  AUP.  I  understand  maybe  they  can't  produce 
PFC  Manning's.  But  we're  talking  about  a  whole  brigade.  Surely  at 
least  one  AUP  can  be  found  from  the  brigade. 

MJ:  Government,  normally  I  would  not  --  you  know,  the 

government's  allowed  to  try  the  case  as  you  want  to,  but,  you  know, 
in  this  —  the  government  doesn't  intend  to  actually  question  about 
the  actual  document  signed  when  you  have  it. 

ATC [CPT  WHYTE]:  We  intend  to  elicit  testimony  from  the  witness 
about  what  was  included  in  that  AUP  to  his  memory.  Your  Honor.  And 
the  sample  AUP  will  help  the  witness  testify  to  those  things. 

MJ:  So  would  the  AUP  from  Fort  Drum,  right? 

TC [MAJ  FEIN]:  Can  we  have  a  moment.  Your  Honor? 

MJ:  Yes. 

[Pause] 

ATC [CPT  WHYTE]:  Can  I  ask  the  witness  a  few  questions.  Your 
Honor . 


8628 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


G 


O 


MJ:  Yeah. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  WHYTE] : 

Q.  Who  maintained  these  AUPs  at  Fort  —  at  Fort  —  at  FOB 
Hammer? 


A.  The  helpdesk  did. 

Q.  Are  you  familiar  with  what  happened  to  these  records  once 
they  were  signed? 

A.  Yes,  sir.  They  were  —  they  were  collected  from  the 
individual  and  then  they  were  stored  in  a  folder  in  the  helpdesk  in 
the  brigade  headquarters. 

Q.  Are  you  familiar  with  what  happened  to  these  records  once 
they  were  stored? 

A.  They  were  stored  just  on  a  shelf  in  the  --  in  the  helpdesk 
area  and  they  were  - 

Q.  Are  you  familiar  with  what  happens  to  these  documents 
throughout  the  deployment. 

A.  Yes,  they  remain  just  sitting  in  a  folder.  They  — they're 
never  really  referenced  again  unless  we  need  to. 

Q.  Are  you  familiar  with  what  happens  once  you're  redeployed? 

A.  Yes,  sir.  Usually  they're  destroyed. 


8629 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


MJ:  So  there  is  no  —  now  —  now  I'm  completely  confused.  Is 

there  or  is  there  —  are  there  —  are  there  available  documents  from 
FOB  Hammer  --  AUPs  that  were  signed  by  somebody  else  or  not? 

TC [MAJ  FEIN]:  Ma'am,  if  I  may? 

MJ:  Yes. 

Questions  by  the  trial  counsel  [MAJ  FEIN] : 

Q.  Captain  Cherepko,  what  is  —  do  any  AUPs  from  FOB  Hammer 
2/10  Mountain  exist  today? 

A  Not  that  I  know  of,  sir. 

Q.  And  did  they  exist  once  you  arrived  back  to  Fort  Drum? 

A.  I  don't  recall  of  any  arriving  back  to  Fort  Drum,  sir. 

Q.  Because  what  did  you  do  —  to  the  best  of  your  memory  what 
occurred  —  what  happened  to  those  AUPs  that  were  at  FOB  Hammer  in 
Iraq? 

A.  When  the  network  was  turned  off,  they  were  burned. 

TC [MAJ  FEIN]:  Thank  you.  And  there  are  no  AUPs  from  Fort  Drum 
—  or  —  excuse  me,  from  FOB  Hammer  when  the  unit  redeployed  because 
they  were  destroyed,  which  is  why  the  United  States  is  offering  to 
the  best  of  his  memory,  to  be  able  to  use  a  sample  AUP  and  to  be  able 
to  draw  —  to  aid  him  in  his  memory  of  what  was  on  the  AUP  when  it 
existed. 

MJ:  All  right,  do  you  want  to  voir  dire  the  witness  further? 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 


8630 


C 


9 


1  DEFENSE  VOIR  DIRE  EXAMINATION  OF  CAPTAIN  CHEREPKO 


2 

Questions  by  the  civilian  defense  counsel : 

3 

Q. 

Captain  Cherepko,  you  said  you  eliminated  my  client' 

4 

ability 

to  get  on  SIPRNET  at  some  point? 

5 

A. 

Yes,  sir. 

6 

Q. 

And  when  was  that? 

7 

A. 

The  night  that  he  was  detained. 

8 

Q. 

So  roughly  towards  the  end  of  May  of  2010? 

9 

A. 

I  don't  recall  the  exact  date,  but  yes,  sir. 

10 

Q. 

Prior  to  your  redeployment? 

11 

A. 

Yes,  sir. 

12 

Q. 

And  at  that  point  AUPs  still  existed,  right? 

13 

A. 

Yes,  sir. 

14 

Q. 

But  you  hadn't  redeployed? 

15 

A. 

Correct . 

16 

Q. 

So  if  the  AUP  wasn't  secured  at  that  point,  that 

was 

17 

that's  ! 

because  no  one,  I  guess,  asked  for  it? 

18 

A. 

Or  it  didn't  exist,  yes,  sir. 

19 

Q. 

But  somebody  did  come  around  looking  for  it  from 

you 

20 

correct 

? 

21 

A. 

Yes,  sir. 

22 

Q. 

And  they  asked  if  you  could  produce  it? 

23 

A. 

I  believe  so,  yes,  sir. 

8631 


o 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


Q.  And  you  said  I  can't  find  PFC  Manning's? 

A.  Correct. 

Q.  But  --  and  I  can't  even  find  mine? 

A.  Correct. 

Q.  But  you  had  others  at  that  point? 

A.  In  FOB  Hammer,  yes,  sir. 

Q.  But  no  one  asked  for  that  copy? 

A.  Not  that  I  recall,  no,  sir. 

Q.  And  the  government  is  attempting  now  to  use  25-2  - 

CDC[MR.  COOMBS]:  I'd  like  to  have  this  marked  as  Defense 

Exhibit  Alpha  for  Identification  [handing  the  document  to  the  court 
reporter  who  marked  the  document  as  directed] . 

Q.  You  said  you  used  25-2  to  create  your  own  AUP  at  some 
point? 

A.  Upon  redeployment,  yes,  sir. 

Q.  And  when  you  used  your  own,  you  added  in  your  own  terms  and 
whatnot? 

A.  I  did,  sir.  I  used  the  sample  from  AR  25-2,  the  Division's 
and  the  Installation's,  and  I  made  sure  that  mine  met  the 
requirements  of  25-2  and  was  nested  with  the  Division' s  and  the 
Installation' s . 

Q.  So  was  yours  quite  a  bit  longer  than  the  sample  one  in  AR 

25-2? 


8632 


o 


1  A.  Yes,  sir. 

2  Q.  Was  it  worded  verbatim  to  the  one  in  AR  25-2? 

3  A.  No,  sir.  There  were  sections  that  were  verbatim,  but  the 

4  complete  document  was  not  verbatim.  Because  there  are  sections  in 

5  the  sample  that  you  have  to  modify  to  suit  your  unit  and  your  local 

6  policies  and  regulations. 

7  CDC[MR.  COOMBS]:  In  a  moment  I'm  going  to  show  you  Defense 

8  Exhibit  Alpha  for  Identification 

9  WIT:  Yes,  sir. 

10  CDC [MR .  COOMBS]:  -  and  see  if  you  recognize  it. 

11  TC [MAJ  FEIN]:  Ma'am,  is  this  a  voir  dire  just  - 

12  MJ:  Yeah,  I'm  allowing  - 

13  TC [MAJ  FEIN]:  to  —  for  something  that  goes  to  weight? 

14  MJ:  I'm  allowing  it  to  see  what  we're  going  to  use.  Go 

15  ahead. 

16  CDC [MR .  COOMBS]:  I'm  showing  you  what's  been  marked  as 

17  Defense  Exhibit  Alpha  for  Identification. 

18  Q.  Can  you  tell  me  what  it  is? 

19  A.  [Looking  at  the  document]  That  is  the  Fort  Drum 

20  Installation  AUP. 

21  Q.  And  what  year  and  month  is  that  AUP? 

22  A.  February  2010. 

23  Q.  So  that  would  have  been  after  your  deployment? 


8633 


o 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


A.  It  would  have  been  in  the  middle  of  the  deployment,  yes, 

sir . 

Q.  As  far  as  —  this  one  is  for  Fort  Drum,  correct? 

A.  This  is  for  the  Installation,  yes,  sir. 

Q.  That  wouldn't  be  the  one  that  you  would  use  downrange  would 

it? 

A.  No,  sir. 

Q.  And  how  many  pages  is  that  AUP? 

A.  [Counting  the  pages  in  the  document]  Seven,  sir. 

CDC [MR.  COOMBS]:  I'm  retrieving  Defense  Exhibit  Alpha  for 

Identification  from  the  witness.  Your  Honor,  the  —  what  the  defense 
would  ask  the  Court  to  do  is  look  at  Defense  Exhibit  Alpha  for 
Identification  and  the  version  that  the  government  wants  to  use  from 
25-2,  and  you  will  see  that  there's  —  there's  quite  a  bit  of 
difference  between  the  two  versions.  And  this  is  what  Fort  Drum  used 
for  AUP  when  they  came  back.  So  if  the  government,  again,  is  going 
to  premise  three  specifications  on  a  violation  of  —  two  on  a 
violation  of  AR  25-2  and  one  violating  an  AUP  or  the  1030  offense, 
the  terms  matter.  It  can't  be  close.  I'm  handing  Defense  Exhibit 
Alpha  for  Identification  to  the  Court,  and  I'd  request  that  the  Court 
compare  that  with  Prosecution  Exhibit  94  for  Identification. 

[Pause] 


8634 


o 


o 


1  MJ:  I've  looked  at  both  of  them.  Mr.  Coombs,  that's  what  they 

2  have  cross-examination  for.  You'll  be  free  to  question  the  witness 

3  about  the  Fort  Drum  AUP.  I'm  going  to  let  the  government  go  ahead 

4  and  use  Prosecution  Exhibit  94  for  Identification.  I  understand  your 

5  objection. 

6  ATC [CPT  WHYTE]:  I'm  retrieving  Prosecution  Exhibit  94  from  the 

7  court  reporter  —  for  ID  [retrieving  the  document  from  the  court 

8  reporter]  - 

9  CDC [MR .  COOMBS]:  Ma'am,  for  clarification,  it's  being  used 

10  for  illustrative  purposes  only.  It  is  not  being  used  as  the  AUP 

11  signed  by  my  client. 

12  MJ:  Yes. 

13  CDC [MR .  COOMBS]:  Thank  you,  Your  Honor.  I  believe  that's  the 

14  government's  position,  right?  That's  not  the  AUP  that  was  signed  - 

15  - 

16  ATC [CPT  WHYTE]:  That  is  correct.  Your  Honor. 

17  Questions  continued  by  the  assistant  trial  counsel  [CPT  WHYTE] : 

18  ATC[CPT  WHYTE]:  I'm  handing  the  witness  Prosecution  Exhibit 

19  94  for  ID. 

20  Q.  Captain  Cherepko,  please  look  at  that  document  and  let  me 

21  know  when  you're  finished. 

22  [The  witness  did  as  directed  and  read  the  document.] 

23  A  Yes,  sir. 


8635 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


O 


Q.  Are  you  familiar  with  that  document? 

A  I  am,  sir. 

Q.  What  is  that  document? 

A  That  is  the  sample  acceptable  use  policy  in  the  back  AR  25- 

2. 

Q.  And  how  do  you  know  that? 

A  Because  it  starts  on  Page  61  of  AR  25-2.  It  labels  itself 
as  "the  sample  of  acceptable  use  policy,"  and  in  the  contents  of  it 
it  uses  the  terms  that  are  being  replaced  with  your  specific  unit 
information  such  as  classified  network  name,  insert  unit  name  here  — 
that  sort  of  information. 

Q.  Again,  can  you  please  explain  to  the  Court  how  this  sample, 
to  the  best  of  your  memory,  compares  with  the  actual  AUP  that  you 
signed  at  FOB  Hammer? 

A  It's  similar. 

ATC [CPT  WHYTE]:  Your  Honor  - 

A.  It  may  not  look  identical,  but  the  content  is  similar. 

ATC [CPT  WHYTE]:  Your  Honor,  we  offer  Prosecution  Exhibit  94  as 
the  next  prosecution  exhibit. 

CDC [MR .  COOMBS]:  Your  Honor,  the  defense  would  object.  And  in 
this  instance  —  I  don't  know  if  the  witness  actually  read  the  —  in 
that  amount  of  time,  but  this  seems  to  be  similar  meaning  like,  well, 
it  looks  like  an  AUP  and  there  might  be  some  similar  terms,  but  to 


8636 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


offer  this  into  evidence  —  actual  evidence  —  in  this  case  it  has  no 
relevance  to  this  case  here  because  it's  not  what  my  client  signed, 
for  one.  Second,  even  though  the  witness  does  have  personal 
knowledge  of  the  AUP  that  was  signed,  in  this  instance  all  he's 
saying  is  that  it's  similar.  And  most  of  the  time  that  might  go  just 
to  weight  instead  of  its  admissibility.  But  in  this  instance  because 
of  the  fact  that  the  terms  actually  matter,  what  is  relevant  is  the 
actual  terms  of  the  AUP.  So  we  would  argue  under  403  that  this  is 
also  unfairly  prejudicial  and  it  is  confusion  of  the  actual  issues, 
and  that  are  —  that  is  what  are  the  terms  that  PFC  Manning  had  to 
abide  by  while  he  was  deployed. 

MJ:  Well  —  government? 

ATC [CPT  WHYTE]:  Well,  Your  Honor,  the  —  actually  the  defense's 
exhibit  as  well  was  not  a  record  that  PFC  Manning  actually  saw 
himself.  It  was  a  document  produced  or  created  during  the  deployment 
and  Captain  Cherepko  signed  that  document  when  he  redeployed  back  to 
Drum,  which  the  accused  did  not  do.  So  that  also  is  not  a  document 
that  PFC  Manning  actually  saw.  What  we're  trying  to  —  what  we're 
asking  Captain  Cherepko  to  do  is,  based  on  this  sample,  to  testify  as 
to  what  that  AUP  that  he  signed  at  FOB  Hammer  consisted  of. 

MJ:  Well,  here's  what  I'm  going  to  do  with  that.  With  the 

foundation  you've  laid  so  far,  I'm  going  to  sustain  the  defense 
objection.  If  you  want  to  go  through  the  document  paragraph  by 


8637 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


J 


paragraph  and  talk  to  the  witness  about  what  he  remem  --  what  he  — 
since  he's  coming  back  from  memory  what  he  remembers  the  actual  AUP 
said.  I'll  listen. 

ATC[CPT  WHYTE]:  Okay,  so  —  just  to  clarify.  Your  Honor,  we  can 
talk  to  the  witness  about  what  was  included  in  the  FOB  Hammer  - 

MJ:  Yes. 

ATC [CPT  WHYTE]:  —  AUP?  But  not  through  reference  of 
Prosecution  Exhibit  94  for  ID. 

MJ:  You  can  use  94  -  Prosecution  Exhibit  94  for 

Identification  to  go  through  with  the  witness,  this  is  what  the 
sample  says,  paragraph  one;  did  —  did  --  was  yours  any  different? 
Was  it  the  same?  Was  it  - 

ATC [CPT  WHYTE] :  Okay. 

TC [MAJ  FEIN]:  Your  Honor,  may  we  have  a  brief  moment? 

MJ:  Yes. 

[Pause] 

ATC [CPT  WHYTE]:  Your  Honor,  we  offer  Prosecution  Exhibit  94  as 
Prosecution  Exhibit  —  or  Prosecution  Exhibit  94  for  ID  as 
Prosecution  Exhibit  94. 

CDC [MR.  COOMBS]:  Same  objection.  Your  Honor. 

MJ:  Well,  after  you've  gone  through  the  paragraphs  we'll 

address  that. 

ATC [CPT  WHYTE]:  Yes,  ma'am. 


8638 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


9 


TC [MAJ  FEIN]:  Ma'am,  may  we  have  a  short  recess? 

M J :  Yes.  How  long  would  you  like? 

TC [MAJ  FEIN]:  10  minutes,  ma'am. 

MJ:  Captain  Cherepko,  please  don't  discuss  your  testimony  or 
your  knowledge  of  the  case  with  anyone  during  the  course  of  the 
recess.  Court  is  in  recess. 

[The  court-martial  recessed  at  1642,  12  June  2013.] 

[The  court-martial  was  called  to  order  at  1651,  12  June  2013.] 

M J:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  Court  last  recessed  are  again  present  in 
court.  Captain  Whyte?  The  witness  is  on  the  witness  chair. 

ATC [CPT  WHYTE]:  Yes,  ma'am.  Permission  to  publish  the  exhibit. 
MJ:  Proceed. 

ATC [CPT  WHYTE]:  I'm  retrieving  Prosecution  Exhibit  94  for  ID 
from  the  court  reporter  [retrieving  the  document  from  the  court 
reporter  and  handing  it  to  the  witness] . 

Questions  continued  by  the  assistant  trial  counsel  [CPT  WHYTE] : 

Q.  Captain  Cherepko,  earlier  you  said  that  the  FOB  Hammer  AUP 
was  nested  from  the  sample  AUP  in  AR  25-2.  What  do  you  mean  by  that? 

A  The  one  that  I  created  after  redeployment  I  used  25-2 
sample  as  the  baseline,  and  I  took  my  Headquarters  and  my 
Installation' s  AUPs  and  made  sure  that  any  local  policies  that  they 
in  placed  were  also  covered  under  my  AUP. 


8639 


c 


o 


1  CDC [MR .  COOMBS]:  Your  Honor,  I  object  to  relevance  of  anything 

2  after  the  redeployment.  So  we  should  be  focusing  on  any  AUPS  signed 

3  by  PFC  Manning  at  this  point. 

4  MJ:  I  believe  the  government's  question  was  the  AUP  — 

5  directing  you  to  the  AUPs  that  you  used  Fort  Hammer  that  you  no 

6  longer  —  correction,  FOB  Hammer,  that  you  no  longer  have. 

7  WIT:  Yes,  ma'am.  I  didn't  draft  that  —  that  AUP.  It  was  in 

8  place  when  I  arrived  at  the  FOB.  The  only  AUP  that  I  created  was 

9  after  redeployment. 

10  MJ:  Maybe  you  need  to  target  your  questions  a  little  bit 

11  better. 

12  ATC [CPT  WHYTE]:  Yes,  ma'am. 

13  Q.  Can  you  just  explain  again  how  the  sample  AUP  compare  —  in 

14  25-2  compared  to  the  actual  AUP  that  you  signed  at  FOB  Hammer  to  the 

15  best  of  your  memory? 

16  A.  To  the  best  of  my  memory  the  content  was  very  similar. 

17  There's  a  --  the  sample  in  25-2  covers  what  needs  to  be  in  a  --  an 

18  acceptable  use  policy.  And  to  the  best  of  my  memory  there  —  the 

19  content  and  the  subject  matter  is  very  similar. 

20  Q.  Captain  Cherepko,  can  you  please  just  read  to  yourself 

21  paragraph  Number  1  of  Prosecution  Exhibit  94  for  ID. 

22  [The  witness  did  as  directed  and  read  the  document.] 

23  A.  Yes,  sir. 


8640 


o 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


Q.  So  to  the  best  of  your  memory,  how  did  the  AUP  that  you 
signed  at  FOB  Hammer  compare  to  this  paragraph  in  the  sample  AUP? 

A.  It  may  not  have  been  verbatim,  but  it  was  the  same  intent. 

Q.  And  what  was  that  intent? 

A.  You  —  you  —  you're  signing  that  you  understand  that  the 
2nd  Brigade,  10th  Mountain  SIPRNET  or  the  2nd  Brigade,  10th  Mountain 
NIPRNET  is  —  it's  your  responsibility  to  follow  the  rules  and  not 
make  any  unauthorized  modifications,  changes,  or  do  anything  to 
circumvent  security. 

Q.  Captain  Cherepko,  can  you  please  read  to  yourself  Paragraph 
6  Hotel? 

[The  witness  did  as  directed  and  read  the  document.] 

A.  Okay. 

Q.  And  to  the  best  of  your  memory,  how  did  the  AUP  that  you 
signed  at  FOB  Hammer  compare  to  this  AUP  —  this  sample  AUP  in  25-2? 

A.  Again,  I  can't  recall  verbatim  what  it  said,  but  the  —  the 
restriction  on  introducing  software  to  the  network  or  to  a  system  is 
prohibited  —  was  prohibited. 

Q.  Are  you  familiar  with  what  an  "executable  file"  is? 

A.  Yes,  sir. 

Q.  What  is  an  "executable  file"? 

A.  An  "executable  file"  is  a  piece  of  software  that  is  able  to 
be  run  without  administrator  privileges.  It  wasn't  require  being 


8641 


© 


1  installed  —  it  doesn't  require  any  modifications  of  the  operating 

2  system,  and  it  can  be  run  from  a  CD,  a  flash  drive,  from  a  shared 

3  drive  from  a  network  location,  from  the  desktop.  There's  no  — 

4  there's  no  requirement  to  install  an  executable  file. 

5  Q.  When  PFC  Manning  was  at  FOB  Hammer  were  you  familiar  with 

6  what  Wget  was? 


7 

A. 

When  he  was  at  FOB  Hammer,  no,  sir. 

8 

Q. 

But  you're  familiar  with  it  today? 

9 

A. 

Yes,  sir. 

10 

Q. 

What  is  Wget? 

11 

A. 

It's  an  executable  file  that's  used  to  scrape  sites 

or 

12 

sources 

and  retrieve  any  data  that's  set  in  the  parameters  of 

the 

13 

program 

to  retrieve;  whether  it's  all  or  a  specific  type  or  what  have 

14 

you. 

15 

Q. 

And  to  the  best  of  your  knowledge  at  FOB  Hammer  was 

Wget  an 

16 

authorized  executable  file? 

17 

A. 

It  was  not,  no,  sir. 

18 

Q. 

Are  you  familiar  with  the  "certificate  of  networthiness"? 

19 

A. 

I  am,  sir. 

20 

Q. 

What  is  the  "certificate  of  net  worthiness"? 

21 

A 

A  "certificate  of  networthiness"  is  an  organization 

for  a 

22 

piece  of 

software  to  be  used  on  an  Army  network. 

8642 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


Q.  And  when  you  were  on  the  FOB  Hammer  was  Wget  on  this 
certificate  of  net  worthiness? 

A.  No,  sir. 

Q.  So  what  does  that  mean? 

A.  It  was  not  authorized. 

Q.  Captain  Cherepko,  if  you  could  please  read  Subparagraph  0. 

[The  witness  did  as  directed  and  read  the  document.] 

A.  Yes,  sir. 

Q.  And  to  the  best  of  your  knowledge,  how  did  the  AUP  that  you 

signed  at  FOB  Hammer  compare  to  Subparagraph  0  of  the  sample  AUP? 

A.  It  would  be  very  similar.  That  is  a  required  statement, 
not  only  on  AUPs,  but  every  time  you  log  into  the  machine,  that 
statement,  or  one  very  similar  to  it,  is  displayed. 

ATC [OPT  WHYTE]:  Let  the  record  reflect  I'm  returning  to  the 
clerk  Prosecution  Exhibit  94  for  ID. 

Q.  Captain  Cherepko,  are  you  familiar  with  the  T-drive  at  FOB 
Hammer? 

A.  I  am. 

Q.  What  was  the  T-drive? 

A.  The  T-drive  was  a  shared  drive  that  was  on  the  network  that 
users  had  access  to  to  store  files  on. 

Q.  And  when  you  arrived  at  FOB  Hammer,  what  was  the  status  of 
the  T-drive? 


8643 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


9 


A.  It  was  in  place  and  operational. 

Q.  And  what  network  was  it  on? 

A.  It  was  on  SIPR. 

Q.  What  restrictions  were  placed  on  the  T-drive  for  access? 

A.  If  you  were  not  a  member  of  the  2nd  Brigade  10th  Mountain 
domain,  you  did  not  have  access  to  the  shared  drive.  And  if  you  were 
a  member  of  the  domain,  there  were  very  few  restrictions  on  where  you 
—  where  you  could  view,  edit,  or  remove  files. 

Q.  So  what  prevented  a  user  from  moving  information  on  the  T- 
drive? 

A.  Nothing,  sir.  The  intent  of  the  T-drive  is  to  place 
information  there,  retrieve  information  so  that  you  don't  fill  up  the 
local  storage  on  your  computer. 

Q.  And  what  prevented  the  users  from  removing  something  from 
the  T-drive? 

A.  Nothing,  sir. 

Q.  Let's  talk  about  the  administrative  rights  with  the 
network.  Who  is  an  administrator? 

A.  An  administrator  is  a  person  with  elevated  privileges  that 
allows  him  or  her  to  make  modifications  to  software  or  hardware. 

Q.  So  what  is  it  --  just  explain  again  what  does  it  mean  to 
have  administrator  rights? 


8644 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


o 


A.  It  means  you  have  the  ability  to  install  hardware,  make 
changes  to  the  operating  system,  or  install  software. 

Q.  So  what  can  a  user  not  do  without  being  the  administrator? 

A.  They  cannot  install  hardware,  they  cannot  install  software. 
They  cannot  make  modifications  or  changes  to  their  operating  system. 

Q.  What  were  the  administrators  of  the  share  drive? 

A.  The  administrators  of  the  shared  drive  were  my  Soldiers  and 
the  —  the  system  administrators  who  worked  for  me. 

Q.  Did  PFC  Manning  have  administrator  privileges? 

A  No,  sir. 

Q.  Was  PFC  Manning  authorized  to  install  software? 

A.  No,  sir. 

Q.  What  happened  if  someone  wanted  to  install  software  onto 
their  government  computer? 

A.  They  would  request  a  piece  of  software  that  they  did  not 
have  through  the  helpdesk,  and  then  the  helpdesk  would  check,  and  if 
it  was  an  authorized  piece  of  software  that  we  had  a  license  for  and 
was  readily  available,  they  would  install  it.  If  it  was  not  either 
available  or  we  did  not  have  a  license  or  it  was  not  authorized,  then 
the  helpdesk  would  come  see  me. 

Q.  And  what  would  you  do? 

A.  I  would  then  research  the  availability  of  obtaining  the 
software. 


8645 


© 


o 


1  Q.  Would  you  check  to  see  if  it  was  an  approved  program? 

2  A.  I  would,  yes,  sir. 

3  Q.  At  FOB  Hammer,  to  the  best  of  your  memory,  did  PFC  Manning 

4  ever  ask  you  to  install  a  program  onto  his  computer? 

5  A.  No,  sir. 

6  Q.  You  testified  earlier  that  you  are  familiar  with  Wget .  Can 

7  you  please  just  one  last  time  explain  the  installation  process  for 

8  Wget? 

9  A.  There  is  no  installation  process.  If  you  have  it  on  a  CD 


10 

or 

thumb 

drive  or  on  your  desktop  you  can  simply  run  it. 

There's  no 

11 

administrator  rights  required. 

12 

Q. 

And  you  said  Wget  was  an  executable  file? 

13 

A. 

Yes. 

14 

Q. 

So  how  does  using  an  executable  file  like  Wget 

allow  a  user 

15 

to 

circumvent  a  need  to  actually  come  see  the  S-6? 

16 

A. 

There's  no  administrator  required  to  install  it 

.  You 

17 

simply  run  it  from  a  disk  or  run  it  from  a  desktop. 

18 

Q. 

So  who  was  capable  of  putting  a  program  like  Wget,  an 

19 

executable  file,  onto  their  computer? 

20 

A. 

Anyone . 

21 

Q. 

Was  PFC  Manning  authorized  to  put  Wget  onto  his 

computer? 

22 

A. 

No,  sir.  No  one  was. 

8646 


G 


J 


1 

Q. 

What  Army  regulation  prohibits  Soldiers  from 

using 

2 

unauthorized  executable  files? 

3 

A. 

AR  25-2. 

4 

Q. 

And  what  documents  do  Soldiers  sign  that  prohibits  them 

5 

from  using  executable  files  —  unauthorized  executable 

files? 

6 

A. 

An  acceptable  use  policy. 

7 

Q. 

What  type  of  software  is  Wget? 

8 

A. 

I  believe  it's  freeware. 

9 

Q. 

And  what  is  "freeware"? 

10 

A. 

"Freeware"  is  software  that  you  can  download 

from  the 

11 

internet 

or  whatever  source  you  obtain  it  from  and  you 

do  not  have  to 

12 

pay  for 

it. 

13 

Q. 

Is  freeware  authorized? 

14 

A. 

It  is  not.  It  is  specifically  prohibited. 

15 

Q. 

Under  what  authority? 

16 

A. 

AR  25-2. 

17 

ATC [CPT  WHYTE]:  One  moment.  Your  Honor. 

18 

[Pause] 

19 

Q- 

Now  you  testified  earlier  that  you  were  the  , 

administrator  - 

20 

-  you  were  one  of  the  administrators? 

21 

A. 

I  was,  yes,  sir. 

22 

Q. 

What  were  you  the  administrator  of? 

8647 


e 


o 


1  A.  I  was  the  manager  of  all  of  the  administrators,  and  by 

2  necessity  I  was  also  the  senior  administrator  for  the  brigade.  Any 

3  problems  that  the  —  the  helpdesk  Soldiers  or  any  of  my  technicians 

4  couldn't  solve,  they  would  bring  to  me  for  the  network,  the  LAN,  the 

5  WAN,  the  enterprise  services,  local  desktop  computers,  VTC  suites, 

6  CPOFs,  the  battlefield  command  systems,  any  other  command  and  control 

7  systems. 


8 

Q. 

Are  you  familiar  with  DSIGs  machines? 

9 

A. 

I  —  slightly  familiar,  yes,  sir. 

10 

Q. 

Did  you  have  DSIGs  machines  at  FOB  Hammer? 

11 

A. 

I  believe  we  did,  yes,  sir. 

12 

Q. 

Were  you  the  administrator  of  the  DSIGs  machines? 

13 

A. 

I  was  not. 

14 

Q. 

Who  was  the  administrator? 

15 

A. 

I  am  not  sure. 

16 

ATC [CPT  WHYTE]:  No  more  questions.  Your  Honor. 

17 

MJ: 

Okay. 

18 

CROSS-EXAMINATION 

19 

Questions  by  the  civilian  defense  counsel  [MR.  COOMBS] : 

20 

Q. 

Captain  Cherepko,  just  for  a  moment  to  talk  about 

the 

AUP 

21 

that  you 

were  shown.  You  talked  about  something  being,  I  think 

it 

22 

might  be 

similar,  am  I  correct  that  you  read  this  once  when 

you 

got 

23 

to  FOB  Hammer  and  signed  it? 

8648 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


G 


O 


A.  The  2nd  Brigade  AUP  at  FOB  Hammer? 

Q.  Correct. 

A.  Yes,  sir. 

Q.  And  after  that  you  weren't  reading  it  on  a  daily  basis  were 

you? 

A.  No,  sir,  not  on  a  daily  basis. 

Q.  Were  you  in  charge  of  briefing  other  people  on  the  AUP  and 
having  them  sign  it  and  supervise  them  signing  it? 

A.  No,  sir.  I  delegated  that  to  my  helpdesk  NCOIC. 

Q.  So  you  weren't  even  reviewing  that  AUP  on  a  daily  basis? 

A.  No,  sir. 

Q.  So  when  you  talked  about  it  looked  similar,  you're  basing 
that  on  a  memory  of  seeing  the  document  —  the  one  that  was  signed  by 
you  when  you  deployed  in  2009,  right? 

A.  Yes,  sir. 

Q.  And  now  in  2013,  that's  where  you're  testifying  based  upon 
that  memory,  back  in  2009,  is  that  right? 

A.  Yes,  sir. 

Q.  And  when  you  say  I  think  that's,  you  know,  similar  or  I 
believe  that  was  in  there,  do  you  know  that  or  are  you  making 
basically  an  educated  guess  based  upon  what  you  would  think  would  be 
in  there? 


8649 


o 


J 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


A.  I'm  making  a  —  a  logical  assumption  that  when  you  create 
an  AUP  the  best  business  practice  is  to  take  the  example  that  the 
Army  gives  you  and  says  this  is  the  standard  and  you  use  that,  along 
with  local  policies,  and  you  create  your  document.  And  every  AUP 
I've  ever  seen  has  very  similar  content. 

Q.  Okay.  And  then  —  I  showed  you  Defense  Exhibit  Alpha  for 
Identification  and  you'd  agree  with  me  that  that  is  much  more 
substantial  than  what  is  --  what  was  shown  for  --  to  you  from  25-2, 
correct? 

A.  Oh,  yes,  sir.  But  the  actual  —  the  actual  content  and 
quantity  of  content  will  vary  from  location  to  location  even  within  a 
local  installation  because  most  of  that  is  local  policies  that  is 
added  by  the  command  creating  the  AUP. 

Q.  All  right.  Now,  even  within  the  AUP,  the  one  term  that  the 
government  had  you  look  at  with,  you  know,  I  will  not  add  malicious 
code  or  whatnot,  had  a  phrase  in  there  "without  authorization", 
correct? 

A.  I  believe  so,  sir.  I  don't  recall  what  it  said,  but  — 

yes . 

Q.  You  don't  recall  something  you  just  read  a  few  minutes  ago? 

A.  Yes,  sir. 

Q.  Okay.  So  do  you  need  me  to  refresh  your  memory  on 
something  you  read  a  few  minutes  ago? 


8650 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


Q 


A. 

No, 

r  I'm  fine. 

Thank  you. 

Q. 

So, 

,  again,  did  it  say  "without  authorization" 

in 

it? 

A. 

On 

the  sample 

AUP,  sir? 

Q. 

Correct . 

A. 

I  would  —  if 

you  could  refresh  me  that  would 

be 

great 

sir. 

Q.  I'll  be  glad  to. 

CDC[MR.  COOMBS]:  I'm  going  to  retrieve  - 

[Pause] 

MJ:  Are  you  referring  to  Prosecution  Exhibit  94  or  Defense 

Exhibit  Alpha? 

CDC [MR.  COOMBS]:  Prosecution  Exhibit  94,  ma'am. 

[The  civilian  defense  counsel  retrieved  the  document  from  the  court 
reporter  and  handed  it  to  the  witness . ] 

Q.  This  is  a  —  something  that  the  government  went  over  with 

you  a  few  minutes  ago  and  they  asked  you  to  read  - 

A.  Yes,  sir,  I  see  it. 

Q.  -  Hotel  to  you.  And  you  read  that  and  they  asked  you, 

you  know,  was  this  the  one  that  you  signed?  You  said,  I  believe  so. 
So  now  just  refreshing  your  memory,  do  you  see  "without 
authorization"  there? 

A.  I  do.  Yes,  sir. 


8651 


c 


1  Q.  Okay.  So  that  would  mean  that  if  you  obtain  authorization 


2 

you  could 

do  it,  I  imagine? 

3 

A. 

Yes,  sir. 

4 

CDC [MR.  COOMBS]:  Returning  Prosecution  Exhibit  94  to 

the 

5 

reporter. 

6 

Q. 

Now,  you  said  you  were  the  Brigade's  Automations 

Officer 

7 

for  the  2nd  BCT? 

8 

A. 

Yes,  sir. 

9 

Q. 

And  your  primary  duty  as  I  understood  it  was  to  i 

manage. 

10 

maintain. 

and  secure  the  brigade's  digital  communications. 

is  that 

11 

right? 

12 

A. 

Yes,  sir. 

13 

Q. 

And  as  the  Brigade  Automations  Officer,  you  were 

also  the 

14 

Information  Assurance  Manager  for  the  brigade,  the  IAM? 

15 

A. 

Yes,  sir. 

16 

Q. 

You  were  appointed  to  this  duty  on  orders? 

17 

A. 

I  was,  sir. 

18 

Q. 

And  as  the  IAM,  you  were  the  person  in  charge  of 

ensuring 

19 

information  assurance  practices  were  being  followed  by  the 

brigade? 

20 

A. 

Yes,  sir. 

21 

Q. 

You  were  in  charge  of  ensuring  any  required  training  on 

22 

information  assurance  was  being  done  by  the  brigade? 

23 

A. 

Yes,  sir. 

8652 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


O 


Q.  Other  than  the  online  IA  security  training  that  everyone 
does,  did  you  do  any  additional  training  while  deployed  on  IA; 
information  assurance? 

A.  Posted  flyers  and  bulletin  —  on  bulletin  boards  and  little 
reminders,  you  know,  don't  use  thumb  drives,  security  is  your 
responsibility,  and  little  reminders  around  the  brigade  headquarters, 
but  no  formal  training.  No,  sir. 

Q.  Okay,  and  that  applied  to  the  brigade  as  a  whole,  correct? 

A.  Yes,  sir. 

Q.  Now,  I  want  to  ask  you  a  little  bit  about  the  shared  drive. 
That's  the  T-drive,  am  I  right? 

A.  Yes,  sir. 

Q.  The  T-drive  was  authorized  to  store  up  to  secret 
information? 

A.  Correct,  sir. 

Q.  And  users  were  permitted  to  —  to  basically  save 
information  on  the  T-drive  if  they  wanted  to? 

A.  Yes,  sir.  It  was  available  for  any  user  on  the  domain  to 
share  information  —  or  store  information. 

Q.  And  obviously  a  user  might  do  this  if  they  wanted  to  have 
something  on  the  shared  drive,  and  if  it  was  lost  by  --  because  their 
computer  crashed,  they  would  be  able  to  go  to  the  shared  drive,  is 
that  right? 


8653 


0 


o 


1  A.  That  is  one  use  of  it,  yes,  sir. 

2  Q.  And  there  was  no  limitation  on  the  amount  of  classified 

3  information  that  you  placed  onto  the  T-drive,  is  that  right? 

4  A.  The  only  limitation  would  be  the  physical  storage  limits  of 

5  the  device  itself.  I  didn't  —  I  didn't  place  any  limits  on 

6  individuals. 

7  Q.  And  was  there  any  limitation  on  the  type  of  classified 

8  information  that  you  stored  on  the  T-drive? 

9  A.  Yes,  sir.  You  could  only  store  up  to  secret. 

10  Q.  Okay,  so  if  it  —  if  it  were  secret,  you  could  store  it  on 

11  the  T-drive? 

12  A.  Yes,  sir. 

13  Q.  As  the  brigade  IAM,  was  there  any  limitation  on  saving 

14  classified  information  onto  CD  if  you  wanted  to? 

15  A.  At  the  time,  no,  sir.  As  long  as  you  - 

16  Q.  I  imagine  if  you  did  it  —  you  put  it  on  a  CD  you  would 

17  have  to  appropriately  label  it? 

18  A.  As  long  as  you  appropriately  labeled  it,  yes,  sir. 

19  Q.  And  other  than  that,  once  you  did  that  you  could  --  you 

20  could  do  that  with  authorization? 

21  A.  Yes,  sir. 

22  Q.  Now,  as  the  IAM,  the  Information  Assurance  Manager,  you  saw 

23  a  lot  of  unauthorized  media  on  the  T-drive,  am  I  correct? 


8654 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


A.  I  did,  sir. 

Q.  You  saw  media  —  this  media  basically  on  a  regular  basis? 
A.  Yes,  sir. 

Q.  And  the  unauthorized  media  included  music? 

A.  Yes,  sir. 

Q.  It  included  movies? 

A.  And  games,  yes,  sir. 

Q.  And  games? 

A.  Yes,  sir. 

Q.  Did  —  and  the  games  were  executable  files,  correct? 

A.  They  are,  sir. 

Q.  Did  you  see  other  executable  files  besides  games? 

A.  Not  that  I  recall,  no,  sir. 

Q.  Do  you  recall  seeing  mIRC  chat  on  the  T-drive? 

A.  Yes,  sir. 

Q.  And  is  that  an  executable  file? 

A.  No,  sir,  it  requires  installation. 

Q.  All  right.  So  from  your  memory,  mIRC  chat  on  the  T-drive 
was  not  an  executable  file? 

A.  No,  sir. 

Q.  Okay.  Now  executable  files  —  let's  talk  about  that  for  a 
moment.  There' re  --  there' re  programs  that  can  run  without  actually 
adding  them  to  the  computer,  am  I  correct? 

8655 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


o 


A.  Correct. 

Q.  So  if  you  took  a  executable  file  and  you  put  it  on  the 
desktop  of  your  computer  - 

A.  Yes,  sir. 

Q.  -  and  you  double  clicked  on  it,  it  would  run? 

A.  It  would,  yes,  sir. 

Q.  And  you  wouldn't  need  admin'  rights  for  that? 

A.  No,  sir. 

Q.  And  the  prosecutor  said  that,  you  know,  some  way  you  could 
circumvent  admin'  rights  —  admin'  rights,  but  with  executable  files 
you're  not  circumventing  admin'  rights,  correct? 

A.  No,  the  file  is  designed  that  you  don't  install  it.  So 
there's  no  —  there's  nothing  that  shows  that  you  need  an 
administrator  rights  to  run  it  or  operate  it.  It  just  executes  its 
commands . 


Q.  And  if  you  didn't  want  to  put  it  on  your  desktop,  you  could 
run  an  executable  file  from  a  CD  as  well,  couldn't  you? 

A.  You  could  run  it  from  a  CD,  from  a  flash  drive,  from  the  T- 
drive,  from  anywhere  you  could  get  access  to  it. 

Q.  And  Wget  —  I  know  you  said  you  became  familiar  with  that 
program  as  part  of  this  case? 

A.  Yes. 

Q.  But  Wget  is  an  executable  file,  right? 


8656 


o 


9 


1  A.  Yes,  sir. 

2  Q.  And  if  —  if  a  Soldier  wanted  to  run  Wget  from  a  CD,  they 

3  didn't  need  admin'  rights  for  that? 

4  A.  No,  sir. 

5  Q.  If  they  wanted  to  run  it  from  the  desktop  of  their 

6  computer,  they  didn't  need  admin'  rights  for  that? 

7  A.  No,  sir. 

8  Q.  Now,  from  your  position  as  the  IAM,  was  there  any  kind  of 

9  S-6  Captain  Cherepko  authorized  music,  movies,  executable  files, 

10  games,  folder  on  the  T-drive? 

11  A.  No,  sir. 

12  Q.  So  the  Colonel  --  Colonel  Miller  --  I  believe  --  he  was 

13  your  Brigade  Commander,  right? 

14  A.  Yes,  sir. 

15  Q.  Did  Colonel  Miller  say,  hey,  here’s  the  MWR  folder  that 

16  Captain  Cherepko  approved  of  that  has  movies,  music,  games,  mIRC 

17  chat,  and  all  sorts  of  other  stuff  that  we've  approved  of,  and  you 


18 

can  go 

there 

and  use  it? 

19 

A. 

No, 

.  sir . 

20 

Q. 

So 

that  was  never  done? 

21 

A. 

No, 

.  sir. 

8657 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


o 


o 


Q.  As  the  brigade  I AM,  I  imagine  you  would  know  this,  but  did 

Colonel  Miller  ever  come  to  you  and  say  I  want  to  authorize  mIRC  chat 

on  my  DCGS-A  computers? 

A.  Colonel  Miller?  No,  sir. 

Q.  Did  he  ever  say,  hey,  we  need  to  put  together  a  letter  that 
says,  I  know  mIRC  chat's  not  part  of  the  baseline  program  for  DCGS-A, 
but  I  want  to  take  on  the  responsibility  of  getting  it  on  my  DCGS-A 
computers  because  it's  mission  essential? 

A.  Sir,  I  was  not  involved  with  DCGS-A  configurations  or 
management  at  all.  So  if  that  were  the  case,  I  would  have  not  been 
able  to  comply  with  his  request.  But,  no,  he  did  not  —  never  —  he 
never  asked  me  for  that. 

Q.  And  —  and  being  a  staff  officer  myself  at  different  times, 

I  imagine  if  the  brigade  commander  wanted  to  do  something,  he  would 

first  go  to  you,  his  staff  officer,  who  is  basically  in  charge  of 
that  type  of  stuff  to  talk  to  you  about  it? 

A.  Most  likely  he  would  have  gone  to  my  supervisor  first,  sir. 

Q.  That  would  be  Major  Morrow? 

A.  Yes,  sir. 

Q.  And  I  imagine  that  that  would  be  batted  around  with  you 
then  at  some  point? 

A.  Yes. 


8658 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


w 


9 


Q.  Do  you  recall  at  any  point  Colonel  Miller  talking  about 
adding  mIRC  chat  to  DCGS-A  computers? 

A.  No,  sir. 

Q.  Now,  whenever  you  saw  music,  movies,  and  executable  files 
on  the  T-drive,  you  would  remove  it,  correct? 

A.  I  would  —  I  would,  yes,  sir. 

Q.  And  even  though  you  deleted  these  files,  they  would  come 
back  onto  the  T-drive? 

A.  Yes,  sir. 

Q.  So  users  would  add  it  back  onto  the  T-drive? 

A.  Yes,  sir. 

Q.  And  I'm  correct  then  this  was  not  something  that  was  just 
leftover  from  the  previous  brigade,  3/82,  correct? 

A.  I  may  have  been,  sir. 

Q.  But  when  it  was  deleted  and  then  put  back  on  obviously  3/82 
is  not  putting  it  back  on? 

A.  3/82  would  not  put  it  back  on,  no.  But  it  still  may  have 
been  remnants  from  3/82  if  it  was  a  local  machine  and  then  they  were 
copying  it  from  a  local  machine  back,  or  if  they'd  copied  it  to  a  CD 
and  then  were  moving  it  back  —  but  —  but  —  no,  3/82  did  not. 

Q.  So  when  it  got  back  onto  the  T-drive,  that  was  from 
somebody  in  your  brigade? 

A.  You  could  make  that  assumption,  yes,  sir. 


8659 


o 


o 


1 

2 

3 

4 

5 

6 

7 

8 


Q.  And  would  you  make  that  assumption? 

A.  I  would,  sir. 

Q.  Now,  you  alerted  your  command  to  the  presence  of 
unauthorized  media  on  the  T-drive,  is  that  right? 

A.  I  did,  sir. 

Q.  You  notified  your  immediate  supervisor,  Major  Morrow? 

A.  Yes,  sir. 

Q.  And  you  also  notified  your  Brigade  XO,  Lieutenant  Colonel 


9  Kearns? 

10  A.  Through  Major  Morrow,  yes,  sir. 

11  Q.  And  you  told  them  about  the  presence  of  unauthorized  media 

12  on  the  T-drive? 

13  A.  I  did,  sir. 

14  Q.  And  you  told  them  about  the  practice  of  placing 

15  unauthorized  media  on  the  T-drive  needed  to  stop? 

16  A.  I  did.  And  I  also  explained  the  reasons  why. 

17  Q.  And  that  was  because  you  viewed  it  as  an  information 

18  assurance  threat? 

19  A.  Yes,  sir. 

20  Q.  And  to  your  knowledge,  nothing  was  done  by  the  chain  of 

21  command  to  basically  act  upon  what  you  said? 

22  A.  The  command  agreed  that  the  practice  needed  to  stop. 

23  Q.  But  nothing  was  done? 


8660 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


c  o 


A.  I  don't  know  that  they  did  or  did  not  take  any  actions  on 
it.  I  just  know  that  the  practice  didn't  stop. 

Q.  You  just  know  what? 

A.  That  the  practice  of  putting  the  information  on  there 
didn't  stop. 

Q.  And  in  fact  it  didn't  stop  until  you  kind  of  unplugged  the 
network  to  redeploy? 

A.  That  would  be  about  the  time,  yes,  sir. 

Q.  To  your  knowledge,  was  there  ever  anyone  punished  for 
placing  unauthorized  media  on  the  T-drive? 

A.  Not  that  I  know  of,  sir. 

Q.  If  a  member  of  the  brigade  came  to  you  and  said,  now. 
Captain  Cherepko,  I've  got  a  mission  essential  program  that  I  need  to 
install  on  my  computer,  what  would  be  the  process  for  you  to  get  that 
done? 

A.  It  depends  on  the  software  and  whether  or  not  I  have  it, 
it's  authorized,  and  I  have  a  license  allowing  me  to  legally  use  it. 
If  I  have  approval;  the  hard  —  the  software  and  a  license,  then  I 
would  just  install  it.  If  I  did  not  have  one  of  those  three,  I  would 
then  investigate  the  process  of  obtaining  one  of  those  three  —  the 
missing  piece  of  the  puzzle. 

Q.  And  have  you  ever  had  a  situation  where  you  had  to  go 
through  that  approval  process  of  trying  to  find  the  — 


8661 


© 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


A.  Yes,  sir. 

Q.  —  approval?  And  - 

A.  Oh,  approval? 

Q.  Correct.  Something  that  you  didn't  already  have  approval 

for? 

A.  No,  sir  —  only  I  didn't  have  licenses,  so  I  had  to 
purchase  it. 

Q.  And  do  you  even  know  the  process  of  how  that  would  happen 
if  you  —  you  didn't  have  a  license  for  it  and  —  and  there  was  not 
approval  for  it? 

A.  If  I  didn't  have  a  license,  I  would  simply  go  to  the  S-4 

and  begin  the  process  to  purchase  one.  If  I  didn't  have  approval,  I 
would  call  up  the  G6  at  Division  and  begin  the  process  required  to 
obtain  approval  to  use  the  software. 

Q.  And  I  don't  want  to  go  through  the  whole  process,  but  is 
that  a  long  process? 

A.  It's  not  short.  Yes,  sir. 

Q.  Have  you  ever  successfully  gone  through  that  process  where 
you  went  through  the  G6? 

A.  I  have  not.  No,  sir. 

Q.  Have  you  ever  heard  of  anyone  going  through  the  process  to 
get  approval  through  the  G6? 


8662 


© 


1  A.  Not  personally.  But  I  can  assume  that  it  has  happened 

2  because  there  are  hundreds  of  programs  on  the  con'  that  are  approved. 

3  But  I  —  I  don't  know  of  anyone  who  has  actually  done  it. 

4  Q.  Okay.  Now,  with  regards  to  the  I AM  program,  I  think  we 

5  understand  that  only  an  administer  can  actually  add  the  program, 

6  right? 

7  A.  Yes. 

8  Q.  But  with  a  executable  file,  were  you  aware  whether  or  not 

9  Soldiers  were  adding  executable  files  to  the  desktop  of  their 

10  computer? 

11  A.  I  was  not.  Other  than  games  that  I  would  find  on  the  T- 

12  drive,  no,  I  was  not  aware  of  any  other  executable  files. 

13  Q.  And  when  you  say  "games";  games  would  function  much  like 

14  Wget  or  any  other  executable  file  that  once  you  click  on  it,  it 

15  actually  starts  to  run? 

16  A.  Not  all,  but  most. 

17  Q.  All  right.  So  some  games  would  function  the  same  way  as  a 

18  Wget  would? 

19  A.  Some  would. 

20  Q.  Were  you  aware  of  whether  or  not  anyone  in  the  unit  — 

21  Soldiers  in  the  unit  believed  that  they  could  add  games,  music, 

22  executable  files  —  like,  they  were  given  approval  to  do  that? 


8663 


© 


Q 


1  A.  No,  sir.  Everyone  signed  the  document  that  said  they  would 

2  not  add  software  or  change  the  baseline.  And  beyond  that,  no  one 

3  that  I  know  ever  told  them  that  they  were'  and  none  of  the  officers 

4  or  NCOS  that  I  --that  I  knew  personally  thought  that  it  was 

5  acceptable. 

6  Q.  But  am  I  correct  in  saying  it  wasn't  very  hard  for  you  to 

7  search  the  T-drive  and  find  executable  files,  find  music,  find 

8  movies? 

9  A.  No,  sir,  it  was  not. 

10  Q.  And  pretty  much  any  day  you  wanted  to,  you  could  go  look 

11  and  you  would  find  it? 

12  A.  More  or  less,  yes,  sir. 

13  Q.  And  even  though  that  was  the  case,  to  your  knowledge,  that 

14  stuff  never  came  off  of  the  T-drive  —  the  music,  movies  and  games  — 

15  it  never  came  off  the  T-drive  until  you  basically  unplugged  yourself? 

16  A.  No,  sir.  It  would  disappear  for  short  periods  of  time 

17  after  I  found  it  and  deleted  it.  And  then  it  would  reappear  hours, 

18  days,  week,  months  later.  But  for  a  brief  period  of  time,  it  was 

19  free  of  all  unauthorized  media. 

20  Q.  Okay.  And  so  every  kind  of  Soldier  and  NCO  you  knew 

21  understood  that  it  was  not  appropriate,  correct? 

22  A.  Correct. 


8664 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


o 


o 


Q.  Did  you  ever  get  to  the  bottom  of  who  was  adding  all  this 
stuff  onto  the  T-drive? 

A.  Whenever  I  was  able  to  identify  a  Soldier  who  was  doing  -- 
adding  the  media,  I  would  go  to  that  Soldier,  explain  the  reasons  why 
it's  a  bad  idea.  I  would  explain  to  their  first  line  supervisor  why 
it  was  a  bad  idea.  And  then  I  would  leave  it  up  to  their  chain  of 
command  to  pursue  the  —  the  —  whatever  they  wanted  to  do  to  the 
Soldier . 

Q.  And,  to  your  knowledge,  was  anything  ever  done  by  the  chain 
of  command? 

A.  Not  that  I  know  of. 

Q.  Let's  talk  about  access  controls  on  the  shared  drive.  Do 
you  know  why  none  of  the  files  on  the  T-drive  were  encrypted? 

A.  It  was  a  secure  network.  There  was  no  need  to  encrypt  the 
files . 

Q.  So  any  file  on  the  T-drive;  video  or  otherwise,  would  be 
unencrypted? 

A.  Yes,  sir.  Unless  the  user  opted  to  encrypt  the  file  for 
some  reason. 

Q.  Do  you  know  why  none  of  the  information  on  the  T-drive  was 
compartmentalized? 


8665 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


J 


A.  It  was  —  it  was  compartmentalized  into  folders,  but  there 
was  no  restrictions  on  who  could  access  the  folder,  if  that's  what 
you  mean. 

Q.  That  is  what  I  mean. 

A.  Yeah. 

Q.  So,  in  other  words,  if  —  if  I  had  access  to  the  T-drive,  I 
had  access  to  everything  on  the  T-drive? 

A.  Yes,  sir.  Unless  there  was  a  restriction  requested.  If  a 
—  if  a  Soldier  or  a  staff  officer  or  someone  would  come  to  me  and 
request  a  restriction  on  a  file  or  folder,  I  would  initiate  that 
restriction.  An  example  I  can  give  you  is  the  S-3  shop  did  not  want 
anyone  to  be  able  to  modify  the  long  range  planning  calendar,  so  I 
put  a  restriction  that  only  one  master  sergeant  could  edit  that 
document.  Everyone  could  view  it,  but  only  one  person  could  edit  it. 
So  if  you  asked  for  it,  I  gave  it  to  you.  But  I  don't  make  the 
decision  on  what  you  do  and  what  the  S-3  does  and  does  not  want 
restricted. 

Q.  And  was  that  hard  to  do  —  if  you  wanted  to  put 
restrictions  to  limit  access  to  certain  information  on  the  T-drive, 
was  that  a  difficult  thing  for  you  to  do? 

A.  For  me  to  do?  No,  sir.  For  the  users,  yes. 

Q.  Okay.  Now  I  want  to  talk  about  the  use  of  executable  files 

on  the  desktop  of  a  computer. 


8666 


o 


9 


1  A.  Okay,  sir. 

2  Q.  We  established  that  you  don't  need  admin'  rights  to  do 

3  that.  But  from  your  position  as  the  I AM  could  —  could  computers  be 

4  configured  to  where  that  would  not  be  a  —  a  process  that  you  could 

5  do  —  that  you  couldn't  put  an  executable  file  on  the  desktop  of  a 

6  computer? 

7  A.  There  are  systems  that  exist  that  would  alert  you  —  not 

8  the  user,  but  would  alert  the  administrators  to  the  use  of  executable 

9  files  and  would  not  allow  them  to  run,  yes. 

10  Q.  And  if  —  and  I  know  you  weren't  in  control  of  the  DCGS-A, 

11  but  for  your  computers,  if  you  wanted  to,  and  say  —  say  for  any  S-6 

12  computer  we  want  to  make  sure  no  executable  files  are  run,  could  you 

13  have  prevented  that  from  happening? 

14  A.  No,  sir. 

15  Q.  And  why  not? 

16  A.  I  did  not  have  the  system  that  the  Army  has  purchased  to 

17  prevent  those  types  of  events  from  occurring. 

18  Q.  So  it  was  a  resource  thing  for  you? 

19  A.  Yes,  sir.  I  had  not  been  issued  the  HPSS  system  that  does 

20  that. 

21  Q.  But  that  was  possible,  if  you  got  resource  of  that  system 

22  you  could  prevent  somebody  from  using  executable  file,  is  that 

23  correct? 


8667 


c 


o 


1  A.  More  or  less.  It  would  be  possible  if  I  was  given  the 

2  system  and  we  had  the  training  and  the  understanding  to  properly 

3  employ  the  system. 

4  Q.  Okay.  Let's  talk  about  access  controls  on  the  SIPRNET,  all 

5  right? 

6  A.  Sure,  sir. 

7  Q.  Other  than  information  that  might  be  password  protected, 

8  were  there  any  access  controls  on  the  SIPRNET  that  you're  aware  of? 

9  A.  I'm  not  sure  what  you  mean,  sir. 

10  Q.  If  I  had  SIPRNET  access,  like  I  was  a  person  who  had  the 

11  clearance,  had  a  computer  hooked  up  to  the  SIPRNET,  was  there  any 

12  limitation  on  what  I  could  go  see  on  the  SIPRNET? 

13  A.  Yes,  sir. 

14  Q.  And  what  was  that  limitation? 

15  A.  You  —  there  are  probably  hundreds,  if  not  thousands,  of 

16  locations  on  SIPRNET  that  you  would  not  be  able  to  go  to. 

17  Q.  Because  of  why? 

18  A.  Being  a  member  of  the  2nd  Brigade,  10th  Mountain,  you  had  — 

19  your  authorizations  were  based  on  being  a  member  of  my  domain.  As  a 

20  member  of  my  domain,  you  could  not  go  to  the,  you  know,  M&D  north 

21  sites  or  their  shared  drive  or  their  SharePoint  portal  and  access 

22  anything  because  I  did  not  have  a  trust  relationship  configured  in  my 

23  active  directory  and  their  active  directory  that  allowed  us  to  share 


8668 


o 


J 


1  information  in  that  sort  of  manner.  You  could  not  go  to  Afghanistan 

2  site  shared  drive  or  any  location  and  pull  information  unless  we  had 

3  a  trust  established.  Or  if  they  had  that  alternate  distance  site 

4  configured  in  such  a  manner  that  you  did  not  require  verification  of 

5  your  authenticity. 

6  Q.  Okay,  so  I  want  to  break  it  down  just  —  if  I'm 

7  understanding  you  right,  I  could  go  on  —  on  a  SIPRNET  computer  on 

8  your  domain,  I  could  go  to  any  place  that  you  had  a  trust 

9  relationship  with? 

10  A.  Inside  my  domain  you  could  go  to  any  --  you  can  go  to 

11  SharePoint  portal,  you  could  go  to  any  of  the  --  you  can  go  to  the  T- 

12  drive,  you  can  go  to  any  of  the  —  the  locations  we  had  that  were 

13  available  to  general  users.  We  had  some  locations  that  were 

14  completely  restricted  to  administrators  that  no  one  had  rights  to  but 

15  myself,  my  NCO,  my  warrants,  and  a  few  other  guys.  But  as  a  general 

16  user,  you  could  go  to  anywhere  within  my  brigade  that  was  not 

17  specifically  prohibited. 

18  Q.  And  - 

19  A.  Outside  of  the  domain  —  outside  of  the  brigade,  we'll  say, 

20  you  could  not  go  to  1st  Brigade,  3rd  ID;  you  could  not  type  in  their 

21  address  in  the  URL  bar,  bring  up  their  site  and  access  any 

22  information  unless  they  specifically  configured  their  systems  to 

23  allow  visitors.  If  you  allow  visitors,  then  anyone  can  have  access 


8669 


Q 


O 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


to  what  you  give  visitors  access  to.  And  that  goes  for  every  other 
unit  on  SIPRNET  in  the  world.  However,  my  brigade,  because  we  work 
closely  with  certain  units,  we  had  a  trust  established,  which  means  I 
trust  all  of  their  users,  meet  the  reguirements ,  they  trust  all  my 
users  —  that's  the  general  term.  The  trust  is  actually  the 
connection  that's  —  that  allows  anyone  in  their  domain  access  to 
mine  and  allows  anyone  in  mine  access  to  the  FAR  domain.  And  we  had 
established  —  trust  established  with  several  of  the  other  brigades 
in  the  M&DB  area  and  with  multinational  brigade.  And  —  because  we 
had  Corps  level  assets  on  my  network  that  I  managed  with  MNFI. 

Q.  So  if  I  could  access  something  on  your  —  on  SIPRNET  — 

A.  Yes,  sir. 

Q.  —  on  your  domain,  then  —  if  I  could  access  it  —  access 
it,  I  was  permitted  to  go  there? 

A.  I  think  you  have  that  backwards,  sir. 

Q.  Based  —  no,  based  upon  what  you  said  — 

A.  If  — 

Q.  —  everything  you  said  - 

A.  —  if  you  had  access  and  it  was  not  specifically 


restricted,  you  were  —  you  had  —  you  had  the  ability  to  go  there. 
You  may  not  have  had  the  authority  to  go  there.  Having  the  ability 
to  go  somewhere  doesn't  mean  you  have  the  need  to  know  or  the 


8670 


© 


J 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


authority  to  go  there,  but  you  have  the  ability  to  go  there  and  view, 
edit,  remove  documents. 

Q.  All  right.  So  I'll  try  to  simplify  it. 

A.  Okay. 

Q.  All  right.  So  - 

A.  Sorry,  it's  very  complex. 

Q.  -  I'm  trying  to  make  it  easy.  So  if  —  if  I  go  —  if  I 

can  —  on  the  SIPRNET  computer,  if  I  can  go  to  a  place  on  your 
domain,  then  I  have  at  least  access  to  it  --  author  --  access  to  go 
there,  correct? 

A.  You  have  the  —  there's  no  technical  restriction  preventing 
you  to  go  to  Captain  Tom  Cherepko's  folder,  view,  edit,  remove 
documents . 

Q.  All  right.  And  then  there  is  the  separate  thing  you  talked 
about  that  you  might  have  access  but  --  and  ability  to  go  there,  but 
maybe  not  the  authority  to  go  there?  Is  that  - 

A.  Yes,  sir. 

Q.  - and  for - 

A.  For  example,  I  have  the  ability  as  administrator  to  go 
anywhere,  but  I  have  no  need  to  go  to  the  medical  officer's  file  and 
view  peoples'  medical  records.  I  have  no  real  need  to  do  that  and  no 
authority  to  do  that. 


8671 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


Q.  And  were  you  aware  of  whether  or  not  all-source  analysts 
were  basically  told  they  could  look  at  anything  they  wanted  to  that 
they  had  access  to? 

A.  I  don't  know  what  they  were  told,  sir. 

Q.  So  that  would  be  a  no  then? 

A.  No. 

Q.  And  when  you  say  the  ability  and  the  authorization;  if  you 
had  the  ability  to  go  there  because  of  your  domain  allowing  you  to  go 
there,  and  you  had  the  authorization  from  your  supervisors  to  go 
there,  were  there  any  other  restrictions  on  access? 

A.  There  were  no  technical  restrictions  that  we  did  not  apply. 
There  was  no  —  if  your  supervisor  told  you  to  go  into  the  S-4  folder 
and  find  how  much  fuel  the  brigade  uses  in  a  three-month  period,  and 
you  worked  in  the  medical  company,  you  could  do  it. 

Q.  Did  —  with  regards  to  the  stuff  that  PFC  Manning  had 
access  to,  did  he  have  to  gain  access  to  that  information  on  the 
SIPRNET  by  hacking  anything? 

A.  Inside  my  domain  or  outside  my  domain? 

Q.  Inside  your  domain. 

A.  I  would  say,  no,  sir. 

Q.  Did  he  need  to  break  any  encryption  or  anything  to  get 
access  to  anything  that  was  inside  your  domain? 

A.  No,  sir. 


8672 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


C 


o 


Q.  Did  he  need  to  circumvent  anything  to  get  access  to 
something  that  was  inside  your  domain? 

A.  He  would  have  needed  to  circumvent  nothing  technically. 

Q.  So  maybe  the  only  restrictions  might  be  if  he  had 

authorization  from  his  supervisor  to  go  —  using  your  example;  if  I'm 
in  the  medical  area,  I  might  not  have  a  reason  to  go  in  S-4  to  see 
our  fuel  consumption  for  the  brigade,  so  even  though  I  have  access  to 
it,  I  might  not  have  the  authority  to  go  there  unless  my  boss  said, 
you  know  what,  it's  important  to  me,  find  out  how  much  fuel  we're 
using,  because  we  want  to  tell  them  how  much  medical  needs? 

A.  That  would  be  a  fair  assessment,  yes,  sir. 

Q.  Now,  I  want  to  ask  you  about  being  the  I AM  and  —  as  far  as 
going  to  the  brigade,  was  this  your  first  duty  assignment  as  an  I AM? 

A.  Yes,  sir. 

Q.  And  my  understanding  is  you  basically  —  this  was  --  was 
this  your  first  Brigade  Automations  Officer  position  as  well? 

A.  It  was,  sir.  It  was  my  first  duty  position  out  of  the 
schoolhouse. 

Q.  And  at  the  time  that  you  got  there,  were  you  aware  that  the 
IAM  was  responsible  for  verifying  that  all  computers  under  their 
oversight  were  properly  certified  and  accredited? 

A.  I  was  not,  sir. 


8673 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


O 


Q.  And  as  part  of  that  process  were  you  aware  that  you  had  to 
submit  what's  called  a  DIACAP  package? 

A.  I  was  not,  sir. 

Q.  And  my  understanding  of  a  DIACAP  is  that  stands  for  a 

Department  of  Defense  Information  Assurance  Certification  and 

Accreditation  Process  Packet,  is  that  right? 

A.  That  sounds  about  right,  sir. 

Q.  Now  your  brigade  was  required  to  —  to  basically  submit  one 
of  those  packages,  correct  —  the  DIACAP  package? 

MJ:  What's  it  called? 

CDC [MR .  COOMBS]:  It's  called  a  DIACAP;  Delta-India-Alpha- 
Charlie-Alpha-Papa . 

Q.  Did  —  did  your  brigade  submit  the  required  DIACAP  package? 

A.  Not  that  I  know  of  sir. 

Q.  And  that  DIACAP  package  was  basically  designed  —  supposed 

to  —  designed  to  ensure  that  there  was  a  disciplined  method  for 
information  assurance? 

A.  Sir,  the  —  the  systems  that  we  had  in  place  at  FOB  Hammer 
were  relatively  new  to  the  brigade.  They  received  them  —  I  was  told 
just  before  JRTC  or  right  before  they  deployed.  And  the 
certification  and  accreditation  is  valid  for  three  years.  So  there 
would  have  been  no  need  to  submit  one  at  that  point. 


8674 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


o 


Q.  Are  you  aware  of  whether  or  not  somebody  higher  than  your 
brigade  disagreed  with  that  determination  you  just  made? 

A.  I  am,  sir. 

Q.  And  did  they  disagree  with  that  determination? 

A.  They  did,  sir. 

Q.  And  so  the  DIACAP  package  —  going  back  to  my  question  — 
that  was  supposed  to  ensure  a  —  basically  a  disciplined  method  for 
information  assurance  within  the  brigade? 

A.  It  is  the  paperwork  showing  that  the  security 
implementations  that  are  required  that  I  had  in  place  were  in  place. 

Q.  To  ensure  basically  a  discipline  information  assurance 
environment? 

A.  It's  the  paperwork  that  just  shows  that  what's  required  to 
be  in  place  is  in  place. 

Q.  And,  I'm  sorry,  I  don't  mean  to  be  aloof,  I'm  trying  to  get 
an  answer  to  this  part,  but  that  process  then  is  to  ensure  that  you 
have  a  discipline  information  assurance  environment?  That  you're 
doing  everything  you're  supposed  to? 

A.  I'm  not  sure  what  the  regulation  or  the  textbook  answer  is, 
sir,  but  the  purpose  of  it  is  to  validate  that  all  of  the 
requirements  I  have  done. 

Q.  And  those  requirements  are  --  what's  the  purpose  for  those 
requirements? 


8675 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


e 


o 


A.  To  provide  security  for  the  network. 

Q.  Thank  you. 

CDC [MR .  COOMBS]:  No  further  questions. 

ATC [CPT  WHYTE]:  Can  we  have  just  one  moment.  Your  Honor. 

MJ:  Yes. 

[Pause] 

ATC [CPT  WHYTE]:  Thank  you. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  WHYTE] : 

Q.  Captain  Cherepko,  did  —  so  you  said  you  monitored  the 
network  to  see  if  there  were  any  movies,  music,  games  on  the 
computer? 

A.  I  did,  sir.  And  for  the  most  part  I  delegated  to  IANCO, 
but  occasionally  I  did  it  personally. 

Q.  Okay.  So  how  often  did  you  actually  look  —  search  the 
network  for  unauthorized  programs? 

A.  Personally? 

Q.  Yes. 

A.  When  I  had  free  time. 

Q.  Okay.  So  not  every  day? 

A.  No,  not  every  day. 

Q.  Why  not? 


8676 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O  J 


A.  Because  I  had  a  —  I  had  an  IANCO  who  performed  it  — 
performed  the  task.  And  more  importantly  everyone  who  was  on  the 
network  had  a  security  clearance  and  signed  an  agreement  that  they 
wouldn't  do  unauthorized  things.  So  I  didn't  feel  the  need  to  search 
every  moment  of  every  waking  day. 

Q.  Why  is  that? 

A.  Because  everyone  was  trusted  to  do  what  they  said  they 
would  do. 

Q.  So  defense  on  cross  asked  you  about  certification  —  I  mean 
—  I'm  sorry,  accreditation  of  the  --  of  the  network  - 

A.  Yes,  sir. 

Q.  -  if  the  —  if  the  network  were  actually  accredited  - 

A.  I  believe  it  was,  sir. 

Q.  -  what  —  okay,  what  would  prevent  a  Soldier  from 

actually  burning  classified  information  from  the  network? 

A.  The  accreditation  is  paperwork,  sir,  that  stops  someone 
from  doing  nothing. 

Q.  And  what  about  leaving  the  SCIF,  for  instance,  with 
classified  information? 

A.  That  would  not  prevent  it,  no,  sir. 

ATC [CPT  WHYTE]:  No  more  questions.  Your  Honor. 

CDC [MR.  COOMBS]:  Nothing  from  me,  ma’am. 

MJ:  I  have  a  couple  of  questions. 


8677 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


EXAMINATION  BY  COURT-MARTIAL 
Questions  by  the  Military  Judge: 

Q.  With  respect  to  the  movies  and  the  games  that  you  talked 
about  that  were  on  the  T-drive,  do  you  remember  —  were  they  on  there 
when  you  arrived  —  or  at  least  were  some  of  them  on  there  from  prior 
units? 

A.  They  were,  sir  [sic] .  The  T-drive  had  been  inherited  from 
several  previous  units  over  several  years.  And  it  was  --  they  were 
there  from  the  day  we  arrived.  You  could  go  almost  to  any  folder 
from  3rd  Brigade,  82nd  Airborne  and  find  funny  movie  clips,  music. 

Q.  You  testified  that  those  were  unauthorized  programs  and 
files  on  the  —  would  you  consider  it  —  would  you  consider  a  game 
and  —  or  music  —  were  they  programs? 

A.  The  media  —  the  movies  and  music  are  media  that  require  a 
program  to  operate  unless  they've  been  tampered  by  people  with  mal- 
intent  to  do  executable  things  in  the  background  and  that's  the  main 
security  threat  for  them  because  they  can  be  modified  to  do  security 
violations  that  you  don't  know  about. 

Q.  The  T-drive;  did  the  network  contain  the  program  to  operate 

them? 

A.  The  movies? 

Q.  Yes. 

A.  Yes,  ma'am. 


8678 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


w 


o 


Q.  And  the  music  as  well? 

A.  Yes,  ma'am.  The  Microsoft  Windows  media  player  would  play 
the  movies  and  the  music. 

Q.  What  about  the  games? 

A.  The  games  were  either  independent  executable  files  or  they 
were  scripts  written  inside  of  Excel  spreadsheets  or  Word  documents  - 
-  those  sorts  of  programs  that  would  be  required  to  run  those.  But 
the  majority  of  them  were  independent,  executable  files,  that 
required  nothing  but  the  one  file  that  you  would  double  click  on  and 
run. 

Q.  You  testified  earlier  that  you  would  go  to  the  T-drive  and 
remove  the  music  and  the  games  and  the  things  that  were  unauthorized. 
Other  than  yourself,  was  there  —  you  said  they  kept  reappearing,  was 
there  in  your  opinion  —  was  there  a  command  laxity  about  enforcing 
this? 

A.  In  my  opinion,  ma'am? 

Q.  Yes. 

A.  More  or  less,  yes.  The  —  you  know,  we  alerted  the  command 
to  the  presence  of  it.  The  reasons  for  why  it's  unacceptable  to  be 
there,  both  regulatory  and  security-wise  —  why  they're  not  allowed 
to  be  there,  but  yet  they  continued  to  appear.  I  tried  to  use  the 
analogy  they  are  a  information  security  negligent  discharge.  While 


8679 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C  O 


you  may  assume  that  firing  a  weapon  into  a  barrel  doesn't  hurt 
anyone,  you  never  know. 

Q.  Did  anyone  in  the  chain  of  command  tell  or  indicate  to  you 
why  they  were  sort  of  letting  this  go? 

A.  No,  ma'am. 

MJ:  Any  follow-up  based  on  that? 

CDC [MR.  COOMBS]:  Nothing  from  the  defense,  ma'am. 

ATC [CPT  WHYTE]:  Maybe  two  questions.  Your  Honor. 

MJ:  That's  fine. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  WHYTE] : 

Q.  Captain  Cherepko,  were  you  aware  of  any  freeware  on  the 
network?  Any  freeware?  You  testified  earlier  that  freeware  was 
specifically  prohibited  under  25-2.  Were  you  aware  of  any  freeware 
on  your  network? 

A.  One  could  make  the  argument  that  the  games  that  I  found 
were  freeware. 

Q.  Did  you  actually  recognize  —  did  you  find,  with  looking 
through  the  network,  any  unauthorized  executable  files  outside  of 
games? 

A.  No.  No,  sir. 

Q.  Did  you  notify  the  command  of  anything  other  than  music, 
games,  movies,  on  the  network? 


8680 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C  O 


A.  On  the  network?  Just  general  IA  violations  that  I  found. 
An  example;  is  one  of  the  FOB'S  we  had  an  Iraqi  Army  unit,  and  they 
tried  to  splice  into  my  fiber  with  copper,  which  would  never  work, 
but  it's  still  an  IA  violation.  So  I  alerted  them  to  that  sort  of 
violat  —  violations  as  well.  I  mean,  every  IA  violation  I  found  I 
reported  to  the  command. 

ATCfCPT  WHYTE]:  Thank  you. 

CDC [MR .  COOMBS]:  Just  a  couple  questions  based  upon  that. 


RECROSS  EXAMINATION 


Questions 

Q. 


by  the  civilian  defense  counsel  [MR.  COOMBS] : 

Were  you  looking  for  executable  files  on  the  T-drive? 


A. 

Q. 


. VBS ;  all 

Q. 


Q. 


Q. 


Q. 


Yes,  sir. 

And  how  were  you  looking  for  them? 

I  would  do  a  search  for  all  files  that  end  in  .EXE, 
the  types  of  executable  files. 

Are  you  familiar  with  media  player  VLC? 

I  am,  yes. 

Did  you  find  that  on  the  T-drive? 

Yes,  sir. 

And  was  that  an  authorized  media  player? 

I  believe  it  was,  yes,  sir. 

What  do  you  base  that  on? 


.VAT, 


8681 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


Q 


A.  I  —  I  recall  —  I  believe  I  recall  looking  to  find  out  if 
it  was  authorized  because  it  was  there  and  people  were  wanting  to  use 
it.  And  they  were  wanting  to  upgrade  to  the  newest  version,  so  — 
and  it's  version  specific,  so. 

CDC [MR .  COOMBS]:  All  right.  Thank  you. 

MJ:  I  have  one  —  go  ahead. 

ATC [CPT  WHYTE]:  I  just  have  one  question.  Your  Honor. 

MJ:  That's  fine. 


REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  WHYTE] : 

Q.  When  you  searched  the  network  for  any  music,  games,  would 
you  actually  be  looking  at  the  —  at  a  person's  desktop  as  well? 

A.  No,  sir.  I  did  not  have  that  ability.  Unless  I  walked  to 
the  desk  and  looked  —  but,  no. 

MJ:  I  don't  think  I  have  any  further  questions.  Any  last 

questions? 

ATC [CPT  WHYTE]:  No,  Your  Honor. 

CDC [MR.  COOMBS]:  No,  ma'am 

MJ:  Temporary  or  permanent  excusal? 

ATC [CPT  WHYTE]:  Temporary. 

[The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 
the  courtroom . ] 


8682 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


©  Q> 


ATC [CPT  WHYTE]:  Ma'am,  the  United  States  calls  Mr.  Jason 
Mil liman. 

MJ:  Okay.  Are  you  all  set  to  go  without  recess  or  —  you're 

ready  to  go  —  both  sides? 

CDC [MR.  COOMBS]:  Defense  is  fine,  Your  Honor. 

MJ:  Okay.  Proceed. 


JASON  MILLIMAN,  civilian,  was  called  as  a  witness  for  the 
prosecution,  was  sworn,  and  testified  as  follows: 

DIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  WHYTE] : 

Q.  Your  name  is  Mr.  Jason  Milliman  from  Charlottesville, 
Virginia? 

A.  Yes,  sir. 

Q.  Mr.  Milliman,  what  is  your  current  military  status? 

A.  Retired. 

Q.  And  when  did  you  retire? 

A.  August  31st  of  2005. 

Q.  How  many  hours  did  you  serve  in  the  military? 

A.  21  years. 

Q.  And  what  was  your  MOS  when  you  retired? 

A.  33  Whiskey. 


8683 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


Q.  What  a  33  Whiskey? 

A.  Electronic  Repair  guy. 

Q.  Now  since  you've  retired,  what  type  of  work  have  you  been 
involved  in? 

A.  Contractor. 

Q.  Have  you  deployed  as  a  contractor? 

A.  Yes. 

Q.  What  was  your  first  deployment  as  a  contractor? 

A.  November  of  2007. 

Q.  And  how  long  was  that  deployment? 

A.  Until  February  of  2009. 

Q.  And  where  were  you  stationed  during  this  deployment? 

A.  Camp  Slayer,  Iraq. 

Q.  What  were  your  responsibilities  at  Camp  Slayer? 

A.  I  was  a  main  hub  FSE,  responsible  for  the  monitoring  of  all 
the  DCGS-A  servers  throughout  Iraq. 

Q.  And  what  is  a  FSE? 

A.  A  Field  Software  Engineer. 

Q.  When  was  your  second  deployment  as  a  contractor? 

A.  June  of  2009. 

Q.  And  how  long  was  that  deployment? 

A.  Eighteen  months. 

Q.  Where  were  you  stationed  during  this  deployment? 


8684 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


O 


A.  I  went  initially  to  JSS  Loyalty  then  to  FOB  Hammer  and 
finished  in  Camp  Ramadi. 

Q.  When  --  when  did  you  arrive  at  FOB  Hammer? 

A.  I  think  it  was  around  September  2009. 

Q.  And  what  unit  were  you  with  when  you  arrived  at  FOB  Hammer? 
A.  82nd 

Q.  When  82nd  redeployed,  what  unit  took  their  place? 

A.  2/10th  Mountain. 

Q.  And  you  were  at  FOB  Hammer  when  2/10  Mountain  arrived? 

A.  Yes,  sir. 

Q.  Were  you  there  when  they  finally  redeployed  back  to  Fort 

Drum? 

A.  Yes,  I  was. 

Q.  So  you  were  there  the  entire  time? 

A.  Yes,  sir. 

Q.  What  was  your  position  at  FOB  Hammer  with  2/10  Mountain? 

A.  It  was  a  different  type  FSE .  They  called  it  the  fly-away 

FSE.  My  job  there  was  to  —  based  out  of  FOB  Hammer  to  support  other 
units.  There  was  the  main  server  at  FOB  Hammer  and  all  the  users  and 
laptops.  And  they  were  stationed  at  Hammer,  the  could  be  at  CACHE 
South  or  wherever  they  were  located;  I  would  fly  to  them  and  take 
care  of  their  machine  as  well. 

Q.  So  you're  responsible  for  the  DCGS  machines? 


8685 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


A.  Correct. 

Q.  What  is  the  purpose  of  a  DCGS  machine? 

A.  It's  a  suite  of  tools  the  intelligence  analysts  use  to 
gather  the  required  data  they  need  to,  I  guess,  exploit  the 
intelligence . 

Q.  And  what  network  were  these  DCGS  machines  hooked  up  to? 

A.  SIPR. 

Q.  To  your  memory,  how  many  DCGS  machines  were  at  FOB  Hammer? 

A.  Roughly  35. 

Q.  To  access  a  DCGS  machine,  did  you  have  to  insert  a  Linux 
operating  system? 

A.  No. 

Q.  Where  did  you  work  at  FOB  Hammer? 

A.  In  their  SCIF. 

Q.  And  how  do  you  know  PFC  Manning? 

A.  He  was  also  in  the  SCIF. 

Q.  What  did  you  know  about  PFC  Manning's  computer  skills? 

A.  Only  what  I'd  heard  —  either  him  talk  about  or  others.  I 
guess  he'd  had  a  computer  business  at  some  point,  and  he  made  a  few 
comments  about  his  skills. 

Q.  What  did  PFC  Manning  say  about  his  computer  business? 

A.  I  just  remember  at  one  point  we  talked  about  problems  and 
he  said  that  if  it  was  a  problem  that  was  taking  too  long  for  his 


8686 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


liking,  he  would  reimage  his  machine  and  tell  a  customer  he  couldn't 
fix  it. 

Q.  And  what  else  do  you  know  about  PFC  Manning's  computer 
skills? 

A.  He  made  a  couple  comments.  One  comment  was  there  was  no 
computer  he  couldn't  hack  into.  And  one  was  that  if  people  really 
knew  what  he  would  do  with  computers,  they  would  be  amazed. 

Q.  Did  PFC  Manning  have  issues  with  his  computer  at  FOB 
Hammer? 

A.  Yes,  he  did. 

Q.  And  can  you  explain  what  those  issues  were? 

A.  His  co-user,  Madaras  was  his  name,  he  approached  me  first  - 

-  he  was  the  day  shift  —  telling  me  that  his  computer  was  acting 
funny  - 

CDC [MR.  COOMBS]:  Objection,  Your  Honor.  Hearsay. 

MJ:  Yes. 

ATC [CPT  WHYTE]:  Just  effect  on  the  listener,  Your  Honor.  We're 
trying  to  see  what  steps  he  took  in  response  to  these  computer 
problems  that  they  were  having. 

MJ:  All  right,  ask  him  if  he  learned  if  there  were  computer 

problems;  yes  or  no,  and  what  he  did. 

Q.  Did  you  learn  of  computer  problems? 

A.  Yes,  I  did. 


8687 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


© 


o 


Q.  And  what  did  you  do  in  response  to  those  computer  problems? 

A.  My  standard  steps  are  to  have  the  user  recreate  the  problem 
in  front  of  me  so  I  can  see  what  symptoms  there  are  and  then 
troubleshoot  it  from  that  point. 

Q.  And  what  were  some  of  those  troubleshooting  tactics  that  — 
that  you  employed? 

A.  Based  on  the  symptoms  that  I  was  given  I  tried  to  see  if 
there  was,  first,  fragmentation  on  the  drive  that  may  have  caused 
poor  performance  of  the  applications  —  to  see  if  the  hard  dive  was 
running  out  of  space,  which  may  have  been  contributed  to  some 
fragmentations  as  well.  See  if  their  user  profiles  are  corrupt,  and 
barring  all  of  that,  reimage  his  machine. 

Q.  Okay,  so  you  said  their  —  their  profile  became  corrupt. 

How  would  their  profile  become  corrupt? 

A.  A  lot  of  users  would  store  everything  they  had  on  their 
desktop.  And  I  explained  to  them  it  was  kind  of  like  snow  on  the 
roof  of  your  house;  your  roof  is  not  meant  for  all  the  snow.  You  get 
too  much  snow  eventually  it's  going  to  cave  in  and  crash.  So  they 
stored  all  of  the  data  on  the  desktop,  it  eventually  would  crash 
their  profile. 

Q.  And  what  steps  did  you  have  to  take  if  their  profile  was 
corrupt? 


8688 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C  J 


A.  Usually  they  couldn't  log-in,  so  I  would  take  another  hard 
drive  —  take  their  hard  drive  out  and  put  another  hard  drive  in  its 
place  that  had  a  similar  operating  system  —  everything  was  exactly 
the  same,  pull  the  information  from  that  hard  drive  like  a  USB  drive 
—  I  would  pull  it  to  the  new  drive  and  let  them  start  over. 

Q.  And  is  this  the  reimaging  process? 

A.  I'm  sorry  —  yeah  —  I'm  sorry.  I'm  nervous.  That's 
actually  the  reimaging  process.  But  only  a  corrupt  profile  --  I  can 
move  the  data  to  another  folder,  delete  their  profile,  have  them  log 
in  again,  which  would  create  a  new  profile,  and  then  move  the  data 
back  to  their  profile. 

Q.  Do  you  remember  what  steps  you  took  with  the  PFC  Manning's 
computer? 

A.  I  do  remember  we  had  to  image  —  reimage  it  several  times. 

Q.  Can  you  explain  what  this,  just  again  for  the  Court,  what 
this  reimaging  process  --  literally  the  Soldier  brings  you  the 
computer  and  what  did  you  do  with  it? 

A.  Right.  After  exhausting  my  other  troubleshooting  steps 
once  I  determined  that  the  computer  had  to  be  reimaged,  I  had  a  stack 
of  spare  drives.  So  in  the  interest  of  time  —  so  that  the  analyst 
could  get  back  to  work,  I  would  take  the  old  hard  drive  out  and 
insert  the  new  hard  drive,  and  then  all  I  would  have  to  do  is 
configure  the  network  settings  so  he  would  be  up  and  running  as 


8689 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


9 


quickly  as  possible.  Once  the  computer  was  back  up  and  running  as 
quickly  as  possible,  I  would  then  connect  the  old  hard  drive  to  the 
new  hard  drive  through  the  USB  port  and  a  universal  hard  drive 
adapter,  and  get  then  get  the  data  that  he  or  she  had  to  have  from 
that  drive  and  transfer  it  back  to  new  drive. 

Q.  And  how  often  did  PFC  Manning  have  issues  —  and  I  think 
it's  Sergeant  Madaras  as  well  —  how  often  did  they  have  issues  with 
their  computers? 

A.  Much  more  frequently  than  everyone  else. 

Q.  Was  PFC  Manning  authorized  to  repair  the  DCGS  computer? 

A.  No. 

Q.  Who  was  authorized? 

A.  Just  me. 

Q.  So  did  you  actually  reimage  their  computer? 

A.  Yes,  I  did. 

Q.  How  many  times  did  you  reimage  their  computer? 

A.  I  don't  recall  exactly  how  many  times,  but  I  know  it  was  at 
least  three. 

Q.  Is  that  odd? 

A.  It's  odd. 

Q.  Why?  Can  you  explain  why? 

A.  Unless  there's  hardware  failures  —  once  a  machine  is 
imaged,  it's  good  until  something  drastic  happens  to  it.  If  they  run 


8690 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


out  of  hard  drive  space  causing  the  operating  system  to  crash  or 
something  there's  —  or,  you  know,  if  the  hard  drive  fails  itself, 
there's  no  need  to  reimage  the  machine. 

Q.  And  in  your  experience  how  long  did  it  generally  take 
before  it  needed  to  be  reimaged  again? 

A.  Manning's  computer  or  others? 

Q.  Other  computers  in  general. 

A.  In  general;  unless  there  was  a  hardware  failure  or 
something  catastrophic,  it  didn't  need  to  be  reimaged. 

Q.  And  when  did  PFC  Manning  and  Sergeant  Madaras  have  computer 
issues  during  their  deployment  —  at  what  stage  in  the  deployment? 

A.  Shortly  after  82nd  left  I  remember  Madaras  approached  me 
first.  And  a  few  other  times  after  that  —  and  —  relatively  short 
order,  like  a  month  or  so  after  the  previous  reimaging. 

Q.  And  at  that  time  in  the  deployment,  how  many  hard  drives  — 
spare  hard  drives  did  you  have? 

A.  Probably  five  or  six. 

Q.  Was  that  —  is  that  a  lot  or  a  little? 

A.  That's  probably  relatively  a  lot. 

Q.  Let's  talk  about  administrator  rights  on  the  DCGS  machine; 
who  had  administrator  rights  on  the  DCGS  machines? 

A.  I  had  rights  and  the  mentor,  his  name  is  Marvin  Gammage 
[phonetic],  he  had  rights. 


8691 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


9 


MJ:  Who? 

WIT:  Marvin  Gammage.  He  was  the  mentor. 

Q.  And  so  which  Soldiers  of  2/10  Mountain  had  administrator 
rights? 

A.  None. 

Q.  Did  PFC  Manning  have  administrator  rights? 


Q.  So  what  does  it  mean  you  were  the  administrator  of  the  DCGS 
machines? 

A.  You  have  full  control  of  the  machine. 

Q.  So  like  what  things  can  you  do  that  an  ordinary  user  cannot 

do? 

A.  If  there  was  Google  Earth  or  Microsoft  Office  or  something 
like  that  to  be  installed,  I  could  install  it  with  full  rights  and 
privileges  without  any  restrictions. 

Q.  So  was  PFC  Manning  authorized  to  install  programs  on  those 
DCGS  machines? 

A.  No,  he  was  not. 

Q.  What  happened  if  a  Soldier  wanted  a  program  for  his  DCGS 
machine  but  it  wasn't  actually  on  the  computer? 

A.  He  needed  —  he  or  she  needed  to  contact  me,  and  if  it  was 
an  authorized  program  that  I  was  allowed  to  install,  I  would  install 
it.  If  I  didn't  know  if  it  was  authorized  or  not,  I  would  contact 


8692 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


9 


Camp  Slayer  —  the  lead  FSE  was  stationed  at  Camp  Slayer  —  and  make 
the  request  to  him.  And  usually  we  were  supposed  to  fill  out  an 
official  software  request  form,  but  it  was  usually  done  word-of- 
mouth.  So  they  would  determine  at  Camp  Slayer  if  it  was  authorized 
program  or  not.  If  it  was  authorized,  they  would  tell  me  to  load  it. 
If  it  was  not  authorized,  I  couldn't  load  it. 

Q.  When  you  were  at  FOB  Hammer,  were  familiar  with  Wget? 

A.  No. 

Q.  When  you  were  at  FOB  Hammer,  did  any  Soldier  request 
permission  to  put  Wget  on  their  computer? 

A.  I  do  not  recall  anyone  asking  for  it. 

Q.  At  FOB  Hammer,  did  you  install  Wget  on  any  DCGS  computer? 

A.  Not  that  I  can  recall. 

Q.  Are  you  familiar  with  what  an  executable  file  is? 

A.  I  believe  I  am,  yes. 

Q.  What  is  an  "executable  file"? 

A.  An  "executable  file"  is  something  that  runs  on  its  own.  It 
doesn't  require  other  files  to  operate,  I  guess. 

Q.  Are  you  familiar  with  the  installation  process  for  an 
executable  file? 

A.  Relatively,  yes. 

Q.  And  what  is  that  process  generally? 


8693 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


Q 


J 


A.  Normally  it  will  have  some  sort  of  interactive  GUI  or 
something  telling  you  to  do  a  certain  process  of  steps  to  install  it. 
Normally  for,  like,  Microsoft  Office  or  something,  you  would  make 
modifications  to  system  files  or  registry,  that  kind  of  thing. 

Q.  Is  Microsoft  Office  an  executable  file  —  a  self-executable 

file? 

A.  I  don't  know  that  I  know  the  correct  answer  to  that.  I'm 
just  using  that  as  an  example  to  make  modifications  to  a  file. 

Q.  So  could  a  Soldier  put  an  executable  file  on  their  DOGS 
machine?  Could  they? 

A.  They  could,  but  they  wouldn't  be  authorized. 

Q.  Who  was  authorized  to  put  executable  files  on  the  DCGS 
machines? 

A.  Just  me  or  other  FSEs. 

Q.  So  how  would  using  an  executable  file  allow  a  user  to 
circumvent  needing  to  actually  contact  you? 

A.  Can  you  say  that  again? 

Q.  So  how  would  using  an  executable  file  circumvent  the  need 
to  come  to  you,  the  administrator? 

A.  If  I  understand  the  question  correctly,  a  user  could 
install  self-executable  on  the  desktop  without  coming  to  me  even 
though  it  would  be  unauthorized. 


8694 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


o 


Q.  When  you  were  at  FOB  Hammer,  was  Wget  an  authorized 
executable  file? 

A.  I  don't  recall,  but  I  don't  believe  so. 

Q.  Do  you  know  if  PFC  Manning  had  Wget  on  his  computer? 

A.  I  do  not  know. 

Q.  You  testified  earlier  that  you  were  —  you  were  responsible 
for  the  DCGS  machines? 

A.  Correct. 

Q.  So  how  did  you  not  know  if  PFC  Manning  had  a  program  on  his 
computer? 

A.  I  didn't  go  behind  every  user  on  a  daily  basis  to  find  out 
if  they  had  installed  something.  It  was  understood  or  I  thought  it 
was  understood  that  we're  all  in  a  position  of  trust  so  that  was  not 
something  that  was  normally  done. 

ATC [CPT  WHYTE]:  We  have  no  more  guestions.  Your  Honor. 

MJ:  Cross-examination? 

CDC [MR .  COOMBS]:  Yes,  Your  Honor. 

CROSS-EXAMINATION 

Questions  by  the  civilian  defense  counsel  [MR.  COOMBS] : 

Q.  Mr.  Milliman,  how  are  you? 

A.  Good.  How  are  you? 


8695 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


e 


o 


Q.  Just  a  few  questions  for  you.  I  want  to  talk  about  some 
problems  that  the  DCGS-A  computer  had  due  to  the  environment,  okay? 

Is  that  all  right? 

A.  Yes,  sir. 

Q.  Now,  heat  was  a  major  problem  for  the  DCGS-A  computers, 
correct? 

A.  In  the  beginning  it  was.  But  we  overcame  that  with  some 
creative  methods  like  using  Gatorade  bottle  caps  to  elevate  it  off 
the  —  off  of  the  desktops  to  get  more  air  flow  in  there  so  that  was 
no  longer  a  problem. 

Q.  And  the  DCGS-A  computers,  they  would  run  hot  even  if  they 
were  in  an  air  conditioned  room,  so  you  had  to  do  those  kind  of 
creative  steps,  right? 

A.  Correct. 

Q.  And  in  addition  to  heat,  the  dust  —  the  dust  from  being  in 
the  desert  was  a  problem  for  the  DCGS-A  computers? 

A.  Correct.  So  it  was  very  frequently  —  it  was  —  it  was 
required  to  frequently  use  cans  of  air  to  blow  the  dust  out  of  the 
machines . 

Q.  That's  what  I  was  going  to  ask.  You  would  go  around  behind 
them  and  you  would  —  you  would  spray  the  computers  basically  to  blow 
out  the  dust? 

A.  We  went  through  a  lot  of  cans  of  air,  yes,  sir. 


8696 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


J 


Q.  All  right.  Now  the  computers  still,  in  spite  of  doing 
these  things  —  the  creative  —  putting  a  bottle  cap  underneath  or 
blowing  out  the  dust,  they  would  occasionally  crash? 

A.  Occasionally. 

Q.  And  with  regards  to  the  DCGS-A  computers,  from  your 
experience,  there  was  usually  always  at  least  two  users  on  each  DCGS- 
A  computer,  is  that  right? 

A.  For  the  most  part  I  believe  that's  true. 

Q.  Now  the  DCGS-A  computers,  at  least  from  the  user  profiles, 

those  could  be  corrupt  if  one  or  both  of  the  users  were  storing  a  lot 
of  information  on  the  desktop? 

A.  If  one  of  the  two  users  stored  a  lot  of  information  on  the 
desktop  only  their  profile  would  be  corrupt. 

Q.  Yeah,  I  think  you  used  an  example  of,  like,  you  know,  snow 

A.  Right. 

Q.  -  basically  piling  up  on  top  of  your  roof  and  caves  in 

because  of  the  weight? 

A.  Correct. 

Q.  So  if  one  or  both  of  the  users  were  storing  a  lot  on  the 
desktop,  one  or  both  of  the  user  profiles  would  become  corrupt? 

A.  One  user  could  not  make  another  user's  profile  become 
corrupt  because  of  what  they  did  to  their  profile. 


8697 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


e 


o 


Q.  Okay.  So  it  would  only  be  the  user  profile  that  had  too 
much  information  - 

A.  Correct. 

Q.  -  that  one  would  be  corrupt? 

A.  Correct. 

Q.  You  talked  about  Madaras  coming  to  you  complaining  about 
his  computer  that  he  shared  with  PFC  Manning.  It  was  Madaras  coming 
to  you  to  complain  about  the  computer,  correct? 

A.  Correct.  He  was  the  first  one  I  saw  because  he  was  on  day 
shift . 

Q.  It  wasn't  PFC  Manning  coming  to  you  to  complain  about  the 
computer? 

A.  I  don't  recall  him  —  he  could  have  complained,  but  I  don't 
recall.  I  just  remember  Madaras  because  he  was  the  first  one  I  saw 
in  the  morning.  So  that's  how  it  started. 

Q.  And  I  guess  —  you  said  sometimes  you  had  to  reimage  based 
upon  the  problems  that  you  encountered? 

A.  Correct. 

Q.  And  did  you  have  to  reimage  the  computer  of  PFC  Manning  and 
Sergeant  Madaras? 

A.  Yes. 

Q.  And  again,  that  was  based  upon  Sergeant  Madaras  coming  to 
you  saying  I've  got  problems  with  this  computer? 


8698 


e 


o 


1  A.  The  reimaging  was  based  on  my  troubleshooting  —  my 

2  diagnosis  of  what  was  needed  since  other  steps  had  failed  to  correct 

3  the  problem. 

4  Q.  And  the  —  what  precipitated  those  other  steps  was  Madaras 

5  coming  to  you,  not  PFC  Manning? 

6  A.  I  believe  so. 

7  Q.  Now  whenever  you  would  try  to  fix  a  computer  that  crashed, 

8  sometimes  you  would  retrieve  information,  correct? 

9  A.  You  mean  take  their  information  that  they  wanted  to  save 

10  and  save  it  somewhere  else? 

11  Q.  Maybe  a  bad  question.  If  a  computer  crashed,  sometimes  you 

12  could  save  all  the  information  and  sometimes  you  couldn't,  is  that 

13  right? 

14  a.  Sometimes  I  could  save  the  user's  data  and  sometimes  I 

15  couldn't,  correct. 

16  Q.  Okay.  And  when  you  were  looking,  I  guess,  at  Sergeant 

17  Madaras  and  PFC  Manning's  computer,  did  you  ever  look  to  see  what 

18  they  had  on  their  desktop  that  was  causing  the  problems? 

19  a.  Well,  it's  not  always  the  desktop  that  is  the  problem.  But 

20  I  would  usually  as  a  standard  operating  procedure,  I  guess  you'd  call 

21  it,  I  would  see  —  basically  the  size  of  the  desktop  —  if  they  had  a 

22  large  amount  of  data  I  would  say,  hey,  you  need  to  move  that  to  your 

23  My  Documents  folder  otherwise  you're  going  to  have  a  profile  crash. 


8699 


o 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


I  would  see  if  the  hard  drive  was  fragmented.  I  would  see  if  they 
were  running  out  of  hard  drive  space.  And  if  those  things  all  seemed 
in  order  and  I  couldn't  find  another  way  to  fix  the  problem,  I  would 
give  them  an  opportunity  --  I  could  tell  them  I  can  delete  your 
profile  and  recreate  a  new  one  if  you  think  that'll  work,  or  I  can 
reimage  your  machine.  And  usually  they  would  just  opt  to  have  the 
machine  reimaged  and  skip  that  step. 

Q.  All  right.  And  at  least  the  times  that  you  reimaged  the 
computers,  from  your  memory  --  I  know  it's  been  a  while  --  but  from 
your  memory  it  was  Madaras  asking  you  to  reimage  the  computers  and 
not  PFC  Manning? 

A.  I  don't  know  100  percent  who  requested  it,  but  I  would  say 
probably  Madaras. 

q.  Okay.  I  want  to  ask  you  a  few  questions  about  adding 
software  to  the  DCGS-A  computer,  all  right? 

A.  Sure. 

Q.  And  I  believe  you  said  on  direct  that  you  were  the  only  one 
authorized  to  do  that? 

A.  Correct. 

Q.  So  if  somebody  wanted  something  they  would  come  to  you  and 
say,  Mr.  Milliman,  could  I  please  add  —  or  could  you  add  this 
software  onto  my  DCGS-A  computer? 

A.  Correct. 


8700 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


o 


o 


Q.  And  they  would  do  that  because  you  were  the  only  one  in 
addition  to  another  civilian  that  had  administrator  rights  on  those 
DCGS-A  computers? 

A.  Correct. 

Q.  Now  if  you  were  asked  to  —  to  put  on  a  —  a  program  onto 
the  DCGS-A  computer,  could  you  tell  us  what  the  process  was  that  you 
would  go  through  in  order  to  determine  that,  yes,  I  will  do  that,  or, 
no,  I  won't  do  that? 

A.  If  a  user  approached  me  requesting  a  program  to  be  loaded 
onto  the  DCGS-A  that  wasn't  normally  part  of  the  baseline,  for 
instance,  there  was  a  compression  program  that  they  use  as  a  standard 
tool  —  and  --  the  first  request  I  didn't  know  if  it  was  authorized 
or  not,  so  I  would  contact  the  lead  FSE;  a  Field  Software  Engineer, 
at  Camp  Slayer,  who  would  then  either  be  able  to  give  me  a  direct 
answer,  or  if  he  didn't  know  the  answer  he  would  find  out  the  answer 
and  get  word  back  to  me  whether  it  was  authorized  or  not.  If  it  was 
authorized  I  would  install  it,  if  not,  I  wouldn't. 

Q.  Now  was  there  ever  a  time  where  --  do  you  remember  the 
Brigade  Commander  for  the  2 /10th  Mountain,  do  you  remember  who  that 
was? 

A.  No,  I  don't. 

Q.  Does  Colonel  Miller  sound  familiar? 


8701 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


A.  Yes  and  no.  It's  a  very  common  name,  but  I  don't  recall 
that  being  the  commander. 

Q.  All  right.  Do  —  do  you  recall  a  time  wherein  the  Brigade 
Commander  came  to  you  and  said,  I  want  to  get  mIRC  chat  onto  my  DCGS- 
A  computers? 

A.  I  don't  recall  it,  but  it's  quite  possible  that  it 
happened. 

Q.  Do  you  recall  ever  the  Brigade  Commander  signing  a  form 
saying  I  want  the  DCGS-A  computers  to  have  mIRC  chat;  I'm  going  to 
take  responsibility  for  that  because  it's  not  part  of  the  baseline 
package?  Here's  the  form,  go  make  it  happen. 

A.  I  don't  recall  that  series  of  events,  but  I  know  there  were 
letters  as  the  standard  --  we  had  like  a  little  book  of  memorandums 
and  letters  from  certain  folks  accepting  risk  and  so  forth.  I  know 
that  mIRC  chat  was  not  on  the  baseline  —  the  standard  baseline  for 
DCGS-A,  but  it  was  granted  authority  because  it  was  the  tool  of 
choice  for  both  the  82nd  and  2/10th  Mountain  Division  and  other  units 
as  well.  So  they  for  —  they  —  they  stopped  using  the  DCGS-A 
collaboration  tool  and  started  using  mIRC  chat.  So  it  was  common  for 
me  to  load  mIRC  chat  on  DCGS-A. 

Q.  And  —  and  so  when  you  did  that,  from  your  memory  —  now  — 
and,  again,  I  know  it's  been  a  while,  but  based  upon  your  memory, 
that  wasn't  at  the  request  of  the  Brigade  Commander? 


8702 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


A.  I  would  say  that's  a  fair  statement.  I  don't  recall  that 
being  directly  from  the  Brigade  Commander. 

Q.  And  mIRC  chat  —  the  DCGS-A  computer  had  as  part  of  its 
baseline  package  a  program  called  PSI  Jabber? 

A.  Say  it  again? 

Q.  Right.  For  the  baseline  package  for  mIRC  chat,  the 
collaborative  tool  —  the  communication  tool  that  they  had  was  PSI 
jabber,  is  that  correct? 

A.  I  think  PSI  Jabber  was  the  collaboration  tool  for  DCGS-A. 

Q.  Right.  That's  what  I  mean. 

A.  Okay,  yeah,  I  think  mIRC  chat  was  a  collaboration  tool  they 
wanted  to  use  instead  of  PSI  Jabber. 

Q.  Exactly.  And  so  they  were  asking  you  to  put  something  on 
that  was  not  the  baseline  tool  - 

A.  Correct. 

Q.  -  for  the  DCGS-A  computer? 

A.  Correct. 

Q.  And  from  your  memory  then  you  were  the  one  adding  mIRC  chat 
to  anybody's  computer  that  asked  for  it,  based  upon  —  once  you  got 
approval? 

A.  When  I  first  deployed  my  second  deployment  as  a  fly-away 
FSE  with  the  82nd  was  my  first  introduction  that  I  recall  of  mIRC 
chat.  So  I  went  through  the  same  steps  I  described  earlier; 


8703 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


e 


o 


contacted  the  lead  FSE  at  Camp  Slayer.  They  determined  it  was  an 
authorized  program  to  be  installed.  So  from  that  point  on  I  would 
install  it.  So  when  I  would  reimage  a  machine  or  when  the  2 /10th 
Mountain  came  in  and  a  RIP/TOA  was  in  place,  it  became  a  standard 
tool  that  I  installed  in  all  the  DCGS-A  machines. 

Q.  And,  I  guess,  when  you  then  installed  it  on  all  of  the 
machines,  there  would  be  no  need  for  PFC  Manning  then  to  go  to 
somebody's  computer  and  put  mIRC  chat  on  their  computer? 

A.  That  is  correct. 

Q.  And  at  least  from  —  from  your  position,  if  PFC  Manning  was 
asked  to  put  mIRC  chat  on  somebody's  computer,  that  would  not  have 
been  something  you  would  have  approved  of? 

A.  Correct. 

Q.  I  know  you  used  the  example  of  an  executable  file.  I  just 
want  to  make  sure  that  we  will  have  a  common  understanding  of  that. 

If  I  had  an  executable  file  and  I  wanted  to  put  it  on  my  desktop; 
something  that  I  double  click  and  it  ran,  could  I  do  that  not  from 
the  standpoint  of  approval,  but  could  I  do  that  as  far  as  the  ability 
to  do  it? 

A.  Yes,  the  ability  is  there  although  the  authorization  is 

not . 

Q.  And  from  your  position,  if  the  DCGS-A  computers  —  if  you 
wanted  to,  could  you  —  could  you  position  the  DCGS-A  computers  in 


8704 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


©  J 


such  a  way  to  prevent  a  person  from  having  the  ability  to  put  an 
executable  file  on  the  desktop? 

A.  I  believe  the  only  way  to  restrict  that  to  take  away  all 

the  right  —  privileges  of  the  user  to  write  to  their  own  desktop.  I 
think  that  would  severely  impact  the  analysts  mission. 

Q.  All  right.  So  from  your  position,  at  least  from  your 
knowledge,  there  was  no  way  to  prevent  somebody  from  putting  an 
executable  file  on  the  desktop  short  of  eliminating  their  ability  to 
write  anything  to  the  desktop? 

A.  From  —  my  opinion,  yes. 

Q.  Okay.  Now  —  obviously  that  didn't  happen  because  Soldiers 
had  the  ability  to  put  stuff  on  their  desktop,  is  that  right? 

A.  Yes. 

Q.  And  because  they  could  put  it  on  their  desktop,  if  a 
Soldier  wanted  to,  they  could  put  games,  music,  movies,  and 
executable  files  on  their  desktop? 

A.  That's  true. 

Q.  Now  in  the  past  you  had  noticed  that  Soldiers  had,  in  fact, 
placed  music  on  their  DCGS-A  computers? 

A.  Correct. 

Q.  And  games  as  well? 

A.  I  can't  say  for  certain  if  the  2/10  did.  I  know  other 
units  had,  but  I  can't  recall  if  the  2/10th  did  or  not. 


8705 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


e 


o 


Q.  And  having  games  and/or  music  or  executable  files  or 
whatnot  on  your  DCGS-A  computer,  that  was  not  allowed? 

A.  It  was  not  authorized,  correct. 

Q.  From  your  position? 

A.  From  my  position,  yeah. 

Q.  But  even  —  because  —  you  didn't  think  it  was  allowed,  you 
didn't  feel  that  you  were  in  the  position  to  tell  the  Soldier,  hey, 
take  that  off  your  DCGS-A  computer? 

A.  I  had  no  authorization  to  tell  a  user  what  to  put  or  remove 
from  their  computer.  I  can  only  make  suggestions. 

Q.  And  when  you  made  suggestions,  I  imagine  you  might  make 
suggestions  to  the  Soldier  and  then  to  their  immediate  supervisor? 

A.  Correct. 

q.  And  then  whether  or  not  the  Soldier  or  the  supervisor  chose 
to  follow  your  suggestion,  you  wouldn't  know  at  that  point? 

A.  Yeah,  that's  not  for  me  to  know. 

Q.  And  I  know  you  said  you  weren't  making  it  a  habit  of 
looking  at  what  Soldiers  were  and  were  not  placing  on  their  DCGS-A 
computers,  right? 

A.  Correct.  The  only  time  I  would  see  the  computer  is  when  I 
had  to  provide  updates  to  the  operating  system  or  security  patches  or 
if  I  had  to  reimage  their  machine. 


8706 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


3 


Q.  And  —  so  based  upon  that,  I  guess,  you  wouldn't  know  how 
prevalent,  if  at  all,  it  was  for  Soldiers  to  put  executable  files  on 
their  DCGS-A  computers? 

A.  Correct. 

Q.  Now  based  upon  your  experience,  you  did  have  situations 
where  in  the  past  you  had  military  members  trying  to  crack  the 
password  to  the  DCGS-A  computer? 

A.  When  there's  a  RIP/TOA,  it  was  a  common  occurrence  that  - 

Q.  And  I'm  sorry  —  just  to  stop  you  there.  The  RIP/TOA  was 
just  when  two  units  were  swapping  out? 

A.  When  they  would  overlap  —  yes.  That  when  the  82nd  would 
leave  and  2/10  would  come  in,  it's  called  a  RIP/TOA;  Relief  In  Place 
and  Transition  of  Authority.  So  when  the  new  unit  coming  in  would 
bring  in  their  DCGS-A  computers,  the  standard  philosophy,  I  guess,  or 
belief  of  the  unit  is  they're  our  machines,  we  have  full  rights,  you 
can't  have  administrator  privileges.  So  there  was  a  special  letter 
signed  by  somebody  saying  that  only  the  DCGS-A  FSEs  had 
administrative  privileges  not  the  unit  S-6s.  So  in  the  very 
beginning  there  was  friction,  but  we  got  it  ironed  out.  So  there 
were  a  couple  of  occasions  where  they  would  crack  my  password,  remove 
the  administrator  account,  and  we  would  battle  that  out. 


8707 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


G 


O 


Q.  All  right.  And  —  essentially,  my  understanding  is,  it  was 
basically  you  educating  the  military  side  of  the  house  that  although 
you're  using  these  computers  and  although  they're  on  your  network, 
these  are  not  your  computers,  is  that  a  fair  statement? 

A.  Not  entirely.  It  was  their  computer,  but  because  of  the 
delicacy  of  the  program  and  the  suite  of  tools  it  used,  it  required 
only  the  DCGS-A  administrators  to  be  the  ones  to  have  the  full 
administrator  rights  on  those  machines. 

Q.  So  you  would  educate  them,  because  of  how  everything  was 
set  up,  even  though  it's  on  your  system,  you  use  it,  it  is 
technically  —  it  is  your  computer  —  you  paid  for  it,  but  you  don't 
have  the  ability  to  tinker  with  it? 

A.  Correct. 

Q.  Okay.  Now  in  the  past,  also  —  whenever  you  would  give  or 
put  mIRC  chat  onto  a  computer,  it  was  a  specific  version  of  mIRC 
chat,  am  I  correct? 

A.  I  don't  recall,  but  it  probably  was. 

Q.  Because  authorization  for  programs  was  version-based,  am  I 
not  correct  —  you  wanted  to  make  sure  it  didn't  —  it  was  compatible 
with  everything  else  so  it  had  to  be  tested  —  that  particular 
version? 


8708 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


o 


o 


A.  Those  tests  would  have  been  run  by  the  FSEs  at  Camp  Slayer. 
So  I  don't  know  and  I  don't  think  I  can  speak  to  version  numbers 
because  I  don't  recall  if  there  was  different  versions  of  mIRC  chat. 

Q.  Okay.  And  you're  —  and  if  you  don't  feel  you  can  answer 
this  you  can  just  tell  me  I  don't  feel  I  can  answer  it  and  I  won't 
worry  about  it  —  in  your  experience  whenever  you  have  got  approval 
for  a  certain  program,  was  it  a  version-based  approval  or  was  it  for 
the  lifetime;  you  could  always  add  whatever  version  you  wanted  of 
that  particular  program? 

A.  I  think  I  can  answer,  but  it  may  be  a  lengthy  answer. 

Q.  Well,  go  right  ahead. 

A.  Yeah,  the  —  we  would  have  —  the  Camp  Slayer  FSE's  would 
deliver  new  images  to  be  used  on  DCGS-A  machines.  Those  images  would 
contain,  for  instance,  if  there  was  a  new  version  of  a  program  on 
that  image  —  if  a  new  image  or  a  new  version  —  I'm  sorry  --  of  mIRC 
chat  would  be  authorized,  it  would  also  come  with  notes  —  they  would 
say,  hey,  now  we're  using  Version  B  or  C  or  whatever  of  this  program, 
start  using  this  now.  We  also  had  CDs  that  we  carried  that  have 
tools  to  use  when  we  troubleshoot  or  other  programs  that  weren't  on 
the  standard  DCGS-A  baseline  to  load  on  those  user  machines  if 
needed;  like  the  mIRC  chat  or  whatever.  So  although  I  don't  recall 
if  there  were  different  versions  of  mIRC  chat,  it's  possible.  But  it 


8709 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


o 


would  have  been  tested  and  vetted  before  it  was  allowed  to  be 
installed. 

Q.  Okay,  so  if  I'm  understanding  correctly,  if  you  came  back 
and  you  said  Version  B  is  the  one  that's  approved  and  that's  the  one 
that  is  now  the  baseline  —  that's  approved  and  we've  got  the  Version 
B  CD,  if  the  following  day  I  said,  hey,  Mr.  Milliman,  I  just  found 
out  Version  C' s  available  online,  I'm  going  put  on  it  my  computer, 
you  would  say,  no? 

A.  Correct. 

Q.  Okay.  So  that  approval  was  then  for  that  version,  and  if 
you  had  a  newer  version,  you  were  not  supposed  to  put  that  on  your 
computer? 

A.  Not  until  it  was  authorized. 

Q.  In  your  past  experience  you  knew  of  Soldiers  who  liked  to 
have  the  latest  version  of  any  particular  software,  right? 

A.  All  Soldiers  like  to  have  the  latest  software,  but  they 
didn't  always  get  what  they  wanted. 

Q.  Do  you  recall  ever  having  a  situation  where  you  did  have 
Soldiers  putting  more  recent  versions  than  they  should  have  on  their 
DCGS-A  computer? 

A.  No,  I  don't. 


8710 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


9 


Q.  You  don't  remember  ever  telling  me  about  a  lieutenant  who 
would  do  that  because  they  liked  having  the  latest  version  of 
anything? 

A.  I  recall  —  I  don't  recall  the  rank,  but  I  recall  an 
officer  in  the  beginning  getting  the  compression  program  installed  on 
his  computer.  And  that's  when  we  had  the  password  cracking  and 
removing  of  my  administrator  account.  But  I  don't  recall  any  other 
instance  other  than  that. 

Q.  Okay,  so  it  was  something  early  on  when  they  put  something 
on  and  you  basically  told  them,  hey,  you're  not  supposed  to  do  this? 

A.  Right. 

CDC [MR .  COOMBS]:  Okay.  Mr.  Milliman,  again,  I  appreciate  your 
time.  Thank  you. 

MJ:  Redirect? 

ATC [CPT  WHYTE]:  We  have  no  questions.  Your  Honor. 

MJ:  I  just  have  a  couple. 

EXAMINATION  BY  COURT-MARTIAL 
Questions  by  the  military  judge: 

Q.  Is  mIRC  chat  an  executable  file? 

A.  I  think  it  is.  I'm  not  an  expert  on  it.  But  I  —  from 
what  I've  read  because  it  was  one  of  the  questions  that  came  up,  but 
it's  a  —  it  appears  to  be  a  program  that  can  be  downloaded  and 
installed  directly  on  your  desktop. 


8711 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


Q.  When  you  had  two  users  like  Sergeant  Madaras  and  PFC 
Manning,  and  one  worked  the  day  shift  and  one  worked  the  night  shift, 
if,  say,  in  this  situation  Sergeant  Madaras  came  up  and  said,  you 
know,  I've  got  all  these  problems  with  my  computer,  would  you  do  the 
reimaging  before  seeing  Private  --  PFC  Manning  on  the  night  shift  or 
how  did  you  do  that? 

A.  No,  I  made  sure  I  tried  to  cover  both  shifts.  So  I  would 
come  in  the  middle  of  the  day  shift  and  work  through  the  rest  of  the 
day  shift  and  then  work  through  half  the  night  shift  as  well  so  I  can 
see  both  users  and  confirm  the  problems  with  both  users  and  make  sure 
they  were  both  aware  what  was  going  on.  Because  I  wouldn't  want  to 
take  the  machine  down  and  possibly  lose  data  without  talking  to  both 
users  to  find  out  what  both  users  needed  as  data  transferred  from  one 
machine  to  another  —  or  another  —  one  hard  drive  to  another. 

Q.  When  you  reimaged  the  machine  of  Sergeant  Madaras  and  PFC 
Manning,  did  PFC  —  what  did  PFC  Manning  say  about  his  data;  did  he 
want  it? 

A.  They  both  wanted  their  data  as  far  as  I  can  recall,  but  I 
don't  —  I  can't  recall  specific  conversation. 

Q.  But  they  both  wanted  their  data  - 

A.  I'm  sure  —  yes. 

Q.  -  or  all  of  their  data  —  was  that  typical? 


8712 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


a 


A.  That  was  typical.  Most  users  always  wanted  their  data.  So 
it  was  not  uncommon. 

MJ:  Any  follow-up  based  on  that? 

CDC [MR .  COOMBS]:  No,  ma'am. 

ATC [CPT  WHYTE]: No  ma'am. 

MJ:  Temporary  or  permanent? 

ATC [CPT  WHYTE] : Temporary. 

[The  witness  was  temporarily  excused,  duly  warned,  and  withdrew  from 
the  courtroom . ] 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  requests  a  10-minute 
recess,  and  then  a  brief  802,  and  then  come  back  on  the  record. 

MJ:  All  right.  Court  is  in  recess  until  1825  or  6:25. 

[The  court-martial  recessed  at  1818,  12  June  2013.] 

[The  court-marital  was  called  to  order  at  1827,  12  June  2013.] 

MJ:  Let  the  record  reflect  all  parties  present  when  the  Court 

last  recessed  are  again  present  in  court.  The  parties  met  with  me 
briefly  for  an  R.C.M.  802  session,  and  it  appears  they  are  working  to 
address  other  stipulations  of  expected  testimony.  And  that  work  will 
require  some  time,  and  because  of  that  and  some  other  logistics 
issues  to  include  some  weather  issues  that  we're  expecting  tomorrow, 
this  court  is  going  to  go  in  recess  tonight,  and  we  will  begin  again, 
like  we  did  last  week  at  0930  on  Monday  morning.  Is  that  the  — 
anything  else  that  the  parties  would  like  to  add? 


8713 


c 


9 


1  TC [MAJ  FEIN]:  That  was  everything,  ma'am. 

2  CDC [MR .  COOMBS]:  No,  Your  Honor. 

3  MJ:  All  right.  Is  there  anything  else  we  need  to  address 

4  before  we  recess  the  Court? 

5  TC [MAJ  FEIN]:  No,  ma'am. 

6  CDC [MR.  COOMBS]:  No,  Your  Honor. 

7  MJ:  Court  is  recessed  until  0930  on  Monday. 

8  [The  court-martial  recessed  at  1828,  12  June  2013.] 

9  [END  OF  PAGE] 


8714 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


w 


O 


[The  court-martial  was  called  to  order  at  0940,  17  June  2013.] 

MJ:  Court  is  called  to  order. 

Major  Fein,  please  account  for  the  parties. 

TC [MAJ  FEIN]:  Yes,  ma'am.  Your  Honor,  all  parties  when  the 
court  last  recessed  are  again  present  with  the  following  exceptions: 
Mr.  Chavez,  court  reporter,  is  absent.  Mr.  Robertshaw,  the  court 
reporter,  is  present.  Captain  Whyte  and  von  —  Captains  Whyte  and 
von  Elten  are  absent.  Captain  Morrow  is  present. 

MJ:  All  right,  thank  you. 

I'd  like  to  begin  with  some  housekeeping.  There  have 
been  a  number  of  exhibits  that  have  been  emailed  to  the  court  over 
the  weekend  that  I  would  like  to  have  put  on  the  record. 

Major  Fein,  can  you  go  through  and  account  for  those? 

TC [MAJ  FEIN]:  Yes,  ma'am.  And  prior  to  that,  if  it  may  please 
the  court.  Your  Honor,  accounting  for  availability  of  the  public  to 
the  court-martial. 

MJ:  Uh-huh  [affirmative  response] . 

TC [MAJ  FEIN]:  There  are  currently  12  members  of  the  media  at 
the  media  operations  center  with  one  stenographer.  There's  also  one 
member  of  the  media  present  in  the  courtroom.  The  theater,  although 
available,  is  being  unused.  The  overflow  trailer,  also  available,  is 
being  unused;  and  there  are  currently  seats  available  in  the 
courtroom  itself. 


8715 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


Your  Honor,  the  United  States  on  15  June  2013  filed  the 
Government's  Targeted  Brief  on  Admissibility  of  Internet  Documents; 
that's  been  marked  as  Appellate  Exhibit  567.  The  defense  on  the  same 
day  filed  its  targeted  brief  titled  "On  Objection  to  Prosecution 
Exhibits  31,  32,  33,  34,  and  109";  that  has  been  marked  as  Appellate 
Exhibit  568.  The  defense  also  filed  a  motion  for  judicial  notice  of 
FOIA  by  Reuters;  that  has  been  marked  as  Appellate  Exhibit  569.  The 
defense  also  filed  a  motion  for  judicial  notice  of  CENTCOM  class 
assessment;  that  has  been  marked  as  Appellate  Exhibit  570;  and  the 
defense  filed  a  motion  for  judicial  notice  of  WikiLeaks  publications 
of  9/11  messages,  and  that  has  been  marked  as  Appellate  Exhibit  571. 

MJ:  Now,  Mr.  Coombs,  these  defense  requests  for  judicial 

notice,  are  they  for  the  purposes  of  the  motion? 

CDC [MR .  COOMBS]:  No,  Your  Honor. 

MJ:  So  they're  for  purposes  of  the  defense  case  during  trial? 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 

MJ:  Okay. 

Has  the  government  had  an  opportunity  to  look  at  those 
motions  for  judicial  notice? 

TC [MAJ  FEIN]:  No,  Your  Honor. 

MJ:  All  right,  and  I  assume  you  want  some  time  to  do  that? 

TC [MAJ  FEIN]:  Yes,  ma'am.  The  United  States  requests  2  duty 
days  to  review  those  and  to  reply  back  —  or  reply  to  the  court. 


8716 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


MJ:  All  right,  that  seems  reasonable. 

Any  objection? 

CDC [MR .  COOMBS]:  No  objection,  Your  Honor. 

MJ:  All  right. 

Then  the  —  Government,  if  you  will  have  your  reply, 
then,  back  to  the  court  on  —  by  close  of  business  on  Wednesday? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Okay. 

All  right,  the  parties  and  I  met  briefly  in  a  R.C.M.  802 
conference  before  we  came  on  the  record  today.  Once  again,  that's  a 
conference  where  I  go  over  scheduling  and  logistics  issues  with  the 
parties  before  we  start  the  trial  and  sometimes  during  the  trial  when 
new  issues  arise.  Both  sides  had  advised  me  that  they  were  going  to 
need  a  little  bit  of  time  this  morning  to  recess  and  go  over  some 
things  that  they  need  to,  some  administrative  issues  and  some 
upcoming  exhibits  that  they  need  to  look  at  and  address  outside  of 
the  courtroom. 

Is  there  anything  else  we  need  to  address  at  this  time 
before  we  take  that  recess? 

CDC [MR.  COOMBS]:  No,  Your  Honor. 

TC [MAJ  FEIN]:  No,  ma'am. 

MJ:  All  right,  how  long  do  you  need? 

CDC [MR .  COOMBS]:  Ma'am,  if  we  could  have  until  10  hundred? 


8717 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


MJ:  Does  that  work  for  the  government? 

TC [MAJ  FEIN]:  Your  Honor,  may  we  have  a  moment? 

MJ:  Yes. 

[The  trial  counsel  conferred  with  cocounsel.] 

MJ:  As  you're  conversing,  the  better  approach  would  be  to 

overestimate  than  underestimate. 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  recommends  we  reconvene 
at  1015. 

MJ:  All  right.  Does  that  work  for  you? 

CDC [MR.  COOMBS]:  Yes,  Your  Honor. 

MJ:  All  right,  court  is  in  recess  till  1015. 

[The  court-martial  recessed  at  0945,  17  June  2013.] 

[The  court-martial  was  called  to  order  at  1057,  17  June  2013.] 

MJ:  Court  is  called  to  order. 

Major  Fein,  please  account  for  the  parties. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

Your  Honor,  all  parties  when  the  court  last  recessed  are 
again  present  with  one  addition:  Captain  von  Elten  is  present. 

Your  Honor,  also,  the  accused  and  Major  Hurley  are 
sitting  in  the  panel  box  to  review  stipulations. 

MJ:  All  right,  thank  you. 

Have  we  had  any  additional  exhibits  been  —  that  have 

been  marked? 


8718 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


O 


TC [MAJ  FEIN]:  Yes,  ma'am.  There  are  many  exhibits  that  have 
been  marked.  First,  Your  Honor,  a  stipulation  of  expected  testimony 
for  Mr.  Motes,  Prosecution  Exhibit  131  for  Identification;  a 
stipulation  of  expected  testimony  for  Rear  Admiral  Woods,  Prosecution 
Exhibit  132  for  Identification;  a  stipulation  of  expected  testimony 
for  Vice  Admiral  Harward,  Prosecution  Exhibit  134  for  Identification; 
a  stipulation  of  expected  testimony  from  Ms.  Strobl,  Prosecution 
Exhibit  135alpha,  the  classified  version,  for  Identification;  and 
Prosecution  Exhibit  135bravo  for  Identification,  the  unclass, 
redacted  version;  a  stipulation  of  expected  testimony  for  Mr.  Allen, 
Prosecution  Exhibit  137;  a  stipulation  of  expected  testimony  for 
Staff  Sergeant  Bigelow,  Prosecution  Exhibit  142  for  Identification;  a 
stipulation  of  expected  testimony  for  Special  Agent  Williamson, 
Prosecution  Exhibit  143  for  Identification;  Special  Agent  Rock, 
Prosecution  Exhibit  79  for  Identification  —  excuse  me.  Your  Honor,  a 
stipulation  of  expected  testimony  for  Special  Agent  Rock,  Prosecution 
Exhibit  79  for  Identification;  a  stipulation  of  expected  testimony 
for  Mr.  Downey,  Prosecution  Exhibit  149  for  Identification;  and  a 
stipulation  of  expected  testimony  for  Miss  Tasha  Thian  has  been 
marked  as  Prosecution  Exhibit  150  for  Identification. 

MJ:  All  right,  thank  you. 

TC [MAJ  FEIN]:  Ma'am,  may  I  correct  one  issue?  The  stipulation 
of  expected  testimony  for  Ms.  Strobl,  Prosecution  Exhibit  135alpha 


8719 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


for  Identification,  is  the  unclassified  redacted  version,  and 
Prosecution  Exhibit  135bravo  for  Identification  is  the  classified 
version. 

MJ:  All  right,  so  the  two  with  classified  stipulations  of 

expected  testimony  are  Ms.  Strobl  and  who  else? 

TC [MAJ  FEIN]:  Your  Honor,  for  new  prosecution  exhibits  that  is 
the  only  one.  The  other  I  think  you're  referencing  is  the 
stipulation  of  expected  testimony  for  Ms.  Travieso  —  Mr.  Travieso, 
which  has  already  been  entered  as  PE  —  Prosecution  Exhibit  118Alpha 
and  Prosecution  Exhibit  118Bravo. 

MJ:  All  right. 

Now,  does  the  defense  agree  that  the  court's  already  gone 
over  the  stipulation  of  expected  testimony  of  Mr.  Travieso  with  PFC 
Manning? 

ADC [MR.  HURLEY]:  Yes,  ma'am,  we  do. 

MJ:  All  right,  PFC  Manning,  we've  had  this  discussion  about 

other  stipulations  of  expected  testimony.  I  note  for  the  record  that 
you're  sitting  over  there  in  the  panel  box  because  one  of  the 
stipulations  is  classified  and  has  an  unredacted  stipulation  with  it. 

Do  you  have  a  copy  of  all  of  those  stipulations  in  front 
of  you?  That  would  be  Mr.  Motes,  Rear  Admiral  Woods,  Vice  Admiral 
Harward,  Ms.  Strobl,  both  the  classified  and  redacted  versions? 

ADC [MAJ  HURLEY]:  Ma'am,  we  only  have  the  redacted  version. 


8720 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


© 


MJ:  You  only  have  the  redacted  version? 

TC [MAJ  FEIN]:  Your  Honor,  may  I  approach  the  court  reporter? 

MJ:  Yes. 

[The  trial  counsel  retrieved  the  exhibit  from  the  court  reporter.] 

TC [MAJ  FEIN]:  Your  Honor,  I'm  handing  Major  Hurley  the 
classified  version  that  you  wanted. 

[Pause] 

ADC [MAJ  HURLEY]:  We  have  it  now,  ma'am. 

MJ:  All  right. 

Major  Hurley,  has  PFC  Manning  had  an  opportunity  to  read 
the  classified  version? 

ADC [MAJ  HURLEY]:  Yes,  ma'am,  he  has. 

MJ:  And  Mr.  Allen,  Staff  Sergeant  Bigelow,  Special  Agent 

Williamson,  Special  Agent  Rock,  Mr.  Downey,  and  Ms.  Thian,  T-H-I-A-N, 

do  you  have  all  of  those  stipulations  of  expected  testimony  in  front 
of  you? 

ACC:  Yes,  ma'am. 

MJ:  Before  signing  these  stipulations,  did  you  read  them 

thoroughly? 

ACC:  I  did.  Your  Honor. 

MJ:  Did  you  have  enough  time  to  read  them? 

ACC:  Yes,  Your  Honor. 


8721 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


MJ:  Do  you  understand  the  contents  of  each  of  these 

stipulations? 

ACC:  Yes,  Your  Honor. 

MJ:  Do  you  agree  with  the  contents  of  each  of  these 

stipulations? 

ACC:  Yes,  Your  Honor. 

MJ:  Before  signing  the  stipulation,  each  one  of  them,  did 

your  defense  counsel  explain  the  stipulation  to  you? 

ACC:  Yes,  ma'am. 

MJ:  Do  you  understand  you  have  an  absolute  right  to  refuse  to 

stipulate  to  the  contents  of  any  of  those  documents? 

ACC:  Yes,  Your  Honor. 

MJ:  Now  do  you  understand  you  should  enter  into  those 

stipulations  only  if  you  believe  it's  in  your  best  interest  to  do 
that? 

ACC:  Yes,  Your  Honor. 

MJ:  All  right,  and  once  again,  I  want  you  to  understand  how 

the  stipulation  is  to  be  used.  These  are  stipulations  of  expected 
testimony.  When  counsel  for  both  sides  and  you  agree  to  a 
stipulation  of  expected  testimony,  you  are  agreeing  that  if  each  of 
these  witnesses  were  present  here  in  court  and  testifying  under  oath, 
they  would  testify  substantially  the  same  way  as  what's  in  the 
stipulation.  The  stipulation  does  not  admit  to  the  truth  of  the 


8722 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


person's  testimony.  The  stipulation  can  be  contradicted,  attacked, 
or  explained  in  the  same  way  as  if  the  person  was  testifying  here  in 
court;  do  you  understand  that? 

ACC:  Yes,  ma'am. 

MJ:  And  knowing  everything  that  I've  told  you  and  your 

defense  counsel  have  told  you,  do  you  still  want  to  enter  into  each 
one  of  these  stipulations  of  expected  testimony? 

ACC:  Yes,  Your  Honor. 

MJ:  Do  counsel  for  both  sides  agree  with  the  stipulation? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

ADC [MAJ  HURLEY]:  Yes,  ma'am. 

MJ:  All  right,  may  I  see  the  original  exhibits  and  I'll  go 

ahead  and  admit  them?  And  we  can  retrieve  the  classified  exhibit  and 
PFC  Manning  and  Major  Hurley  can  return  to  the  defense  table. 

[The  exhibits  were  handed  to  the  military  judge,  and  the  accused  and 
assistant  defense  counsel  did  as  directed  and  returned  to  the  defense 
table . ] 

MJ:  [Reviewed  exhibits]  All  right.  Prosecution  Exhibit  150  is 

admitted;  149  is  admitted;  143  is  admitted;  142  is  admitted;  137  is 
admitted;  134  is  admitted;  135a  —  alpha  and  bravo  are  admitted; 
[pause]  and  I  believe  that  covers  them  all. 

Is  there  anything  else  we  need  to  address  before  we 
proceed  with  the  prosecution's  case? 


8723 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


J 


TC [MAJ  FEIN]:  Yes,  ma'am.  There's  one  other  administrative 
issue.  May  we  have  a  brief  moment? 

MJ:  Yes. 

[The  trial  counsel  conferred  with  cocounsel.] 

TC [MAJ  FEIN]:  Your  Honor,  the  final  stipulation  we  spoke  about 
before  was  for  Mr.  Travieso.  Prior  to  the  government  offering  the 
evidence  for  any  stipulations,  we  had  this  as  an  appellate  exhibit. 

It  was  previously  marked  as  Appellate  Exhibit  539  and  not  marked  as  a 
PE,  although  the  colloquy  had  gone  —  been  gone  through,  so  the 
United  States  offers  Mr.  Travieso 's  stipulation  of  expected 
testimony,  dated  10  May,  what  was  previously  marked  as  Appellate 
Exhibit  539,  is  currently  marked  —  or  remarked  as  Prosecution 
Exhibit  118bravo  and  then  alpha  for  the  classified,  as  Prosecution 
Exhibit  118bravo  and  alpha,  respectively. 

ADC [MAJ  HURLEY]:  No  objection. 

MJ:  All  right,  may  I  see  bravo,  as  well,  or  alpha,  whatever 

the  classified  version  is? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

[The  exhibit  was  handed  to  the  military  judge,  and  the  judge  reviewed 
the  exhibits . ] 

MJ:  All  right.  Prosecution  Exhibits  118alpha  and  bravo  are 

admitted.  I'm  handing  them  back  to  the  court  reporter. 

TC [MAJ  FEIN]:  There  are  no  other  issues,  ma'am. 


8724 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


9 


MJ:  All  right,  proceed. 

ATC [CPT  von  ELTEN] :  Ma'am,  I  have  a  stipulation  of  expected 
testimony  for  Mr.  Jeffrey  Motes,  Prosecution  Exhibit  131. 

[Pause] 

MJ:  Proceed. 

ATC [CPT  von  ELTEN]:  It  is  hereby  agreed  by  the  accused,  defense 
counsel,  and  trial  counsel  that  if  Mr.  Jeffrey  Motes  were  present  to 
testify  during  the  merits  phase  of  this  court-martial,  he  would 
testify  substantially  as  follows: 

I  am  a  senior  counter-terrorism  analyst  in  the  strategic 
fusion  cell  of  the  J-2  section  at  Joint  Task  Force-Guantanamo  Bay 
( JTF-GTMO)  ,  a  subcomponent  of  the  United  States  Southern  Command 
(USSOUTHCOM) .  In  this  position,  my  responsibilities  include 
training  and  reviewing  the  work  product  of  senior  and  junior 
analysts  and  producing  material  responsive  to  Requests  for 
Information  (RFI )  ,  such  as  threat  assessments  on  current  detainees. 

I  have  worked  at  JTF-GTMO  since  2003.  Prior  to  joining  JTF-GTMO,  I 
served  on  active  duty  in  the  United  States  Navy  as  a  Cryptologic 
Technician  Interpretive  and  Arabic  linguist.  I  have  been  in  the 
intelligence  field  for  more  than  2  5  years,  and  I  have  been  an 
intelligence  analyst  for  more  than  10  years. 

Around  January  2004,  JTF-GTMO  established  the  Detainee 
Assessment  Branch  in  response  to  a  request  from  the  Office  for  the 


8725 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


o 


Administrative  Review  of  the  Detention  of  Enemy  Combatants  (OARDEC) 
for  information  to  determine  the  enemy  combatant  status  of  a 
particular  detainee.  The  Detainee  Assessment  Branch  was  a  J-2 
element  tasked  with  providing  threat  intelligence  analysis  on 
detainees  at  JTF-GTMO.  The  threat  intelligence  analyst  --  analysis 
included  the  detainee's  threat  to  the  United  States  and  any  potential 
intelligence  value  of  the  detainee. 

OARDEC  established  two  types  of  reviews  for  detainees  at 
JTF-GTMO:  (1)  a  Combatant  Status  Review  Tribunal  (CSRT) ,  which 

conducted  an  initial  review  of  the  status  of  detainees  to  determine, 
among  other  things,  whether  detain  --  the  detainee  was  an  enemy 
combatant;  and  (2)  an  Annual  Review  Board  (ARB) ,  which  conducted 
annual  reviews  of  the  status  of  select  detainees  to  determine,  among 
other  things,  whether  the  detainee  should  remain  at  JTF-GTMO.  The 
Detainee  Assessment  Branch  provided  initial  assessments  of  detainees 
in  support  of  the  CSRT  and  updated  assessments  of  detainees  in 
support  of  the  ARB. 

In  March  2004,  I  began  working  in  the  Detainee  Assessment 
Branch  as  producing  —  as  a  producing  intelligence  analyst.  In  2005, 
I  became  the  team  leader  of  the  Detainee  Assessment  Branch.  The 
Detainee  Assessment  Branch  consist  —  consisted  of  up  to  20  senior 
and  junior  intelligence  analysts,  both  military  and  civilian.  My 
responsibilities  as  team  leader  included  training  the  team 


8726 


© 


o 


1 

responsible  for  preparing  assessments  on  detainees,  preparing 

2 

assessments  on  detainees,  and  coordinating  intelligence  between 

3 

intelligence  analysts  assigned  to  the  Detainee  Assessment  Branch  and 

4 

the  United  States  Government.  I  worked  in  the  Detainee  Assessment 

5 

Branch  as  the  team  leader  until  2012,  with  the  exception  of  1  year 

6 

from  2009  to  2010  when  I  worked  at  USSOUTHCOM  as  a  subject  matter 

7 

expert  (SME)  on  Sunni  extremism  for  South  America.  Before  joining 

8 

the  Detainee  Assessment  Branch,  I  was  a  senior  intelligence  analyst 

9 

on  a  tiger  team  responsible  for  preparing  detainee  assessments  and 

10 

debriefing  detainees  upon  arrival  at  JTF-GTMO. 

11 

The  detainee  assessments  were  a  recommendation  to 

12 

USSOUTHCOM  for  disposition  of  detainees,  which  included  the 

13 

detainee's  threat  level  and  intelligence  value  to  the  United  States 

14 

and  its  allies.  I  am  very  familiar  with  the  detainee  assessments 

15 

prepared  by  JTF-GTMO.  I  am  familiar  with  the  format,  letterhead. 

16 

and  structure  of  the  detainee  assessments. 

17 

I  am  very  familiar  with  how  detainee  assessments  were 

18 

produced  because  I  created  and  trained  others  how  to  create  detainee 

19 

assessments.  I  am  also  very  familiar  with  the  process  necessary  to 

20 

create  detainee  assessments  because  I  was  either  responsible  for 

21 

many  of  --  many  steps  of  this  process  or  I  tracked  the  status  of 

22 

this  process.  I  have  been  responsible  for  the  first  four  steps  of 

23 

the  below  process  during  my  tenure  at  JTF-GTMO. 

8727 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


The  process  to  create  a  detainee  assessment  was  as 


follows : 

First,  a  senior  or  junior  intelligence  analyst  reviewed 
any  previously  written  intelligence  memoranda  and  any  additional 
intelligence  relating  to  the  detainee  that  was  stored  in  the  Joint 
Detainee  Information  Management  System  ( JDIMS) ,  the  classified 
database  at  JTF-GTMO  that  stored  intelligence  relating  to  detainees. 
JDM  —  JDIMS  was  available  on  SIPRNet;  however,  a  user  could  not 
access  JDMI  —  JDIMS  without  being  granted  a  separate  account. 
Further,  even  with  a  JDIMS  account,  the  user  did  not  have  full 
access  to  all  of  the  intelligence  stored  in  JDMIS  [sic] .  The  senior 
or  junior  intelligence  analyst  also  conducted  additional  research  in 
multiple  intelligence  databases  located  on  classified  networks, 
outside  of  JDIMS,  on  the  particular  detainee. 

Second,  the  senior  or  junior  intelligence  analyst  drafted 
the  detainee  assessment,  which  included  the  analysis  as  to  the 
detainee's  threat  level  and  intelligence  value  to  the  United  States 
and  its  allies. 

Third,  the  draft  detainee  assessment  was  submitted  to 
another  senior  or  junior  intelligence  analyst  for  peer  review.  The 
intelligence  analyst  reviewed  the  draft  detainee  assessment, 
conducted  individual  research  and  analysis  on  the  detainee,  and 
provided  edits  and/or  comments. 


8728 


c 


J 


1  Fourth,  the  draft  detainee  assessment  was  submitted  to  a 

2  senior  intelligence  analyst  for  Quality  Assure  [sic]  Quality  Control 

3  (QAQC)  who  conducted  further  research  and  analysis  on  the  detainee 

4  to  collect  any  additional  intelligence  and  to  verify  the  logic  of 

5  the  analysis  on  the  detainee.  The  senior  intelligence  analyst 

6  provided  edits  and/or  comments. 

7  Fifth,  the  draft  detainee  assessment  was  submitted  to 

8  the  Officer-in-Charge  (OIC)  of  the  Detainee  Assessment  Branch  who 

9  conducted  further  research  and  analysis  on  the  detainee  to  collect 

10  any  additional  intelligence  from  the  classified  network  and  to 

11  verify  the  logic  of  the  analysis  on  the  detainee.  The  OIC  provided 

12  edits  and/or  comments. 

13  Sixth,  the  draft  detainee  assessment  was  submitted  to  the 

14  Office  of  the  Staff  Judge  Advocate  (OSJA)  for  legal  review.  The 

15  OSJA  reviewed  the  draft  detainee  assessment  and  provided  any  edits 

16  and/or  comments. 

17  Seventh,  the  draft  detainee  assessment  was  submitted  to 

18  the  Joint  Intelligence  Group  (JIG)  or  J-2  Director.  The  JIG  or  J-2 

19  Director  reviewed  the  draft  detainee  assessment  and  provided  any 

20  edits  and/or  comments. 

21  Eighth,  the  draft  detainee  assessment  was  submitted  to 

22  the  Deputy  Commander,  JTF-GTMO .  The  Deputy  Commander,  JTF-GTMO, 


8729 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


O 


reviewed  the  draft  detainee  assessments  and  provided  any  edits 
and/or  comments. 

Ninth,  the  draft  detainee  assessment  was  submitted  to 
the  Commander,  JTF-GTMO .  The  Commander,  JTF-GTMO,  reviewed  the 
draft  detainee  assessment  and  provided  any  edits  and/or  comments. 
Once  all  changes  were  made,  the  Commander,  JTF-GTMO,  signed  the 
detainee  assessment. 

Tenth,  the  signed  detainee  assessment  was  submitted  to 
OARDEC  through  USSOUTHCOM. 

I  am  very  familiar  with  how  long  the  above  process  took 
to  complete  one  detainee  assessment.  The  first  two  steps  of  this 
process,  having  the  intel  —  initial  intelligence  analyst  create  a 
draft  detainee  assessment,  took  no  less  than  one  week,  including 
overtime,  to  complete.  To  the  best  of  my  memory,  completing  one 
draft  detainee  assessment  took,  on  average,  50  to  55  working  hours. 
The  third  step  of  this  process,  having  another  intelligence  analyst 
conduct  peer  review  of  the  draft  detainee  assessment,  took,  on 
average,  2  working  hours  per  assessment.  The  fourth  step  of  this 
process,  having  a  senior  intelligence  analyst  conduct  QAQC  of  the 
draft  detainee  assessment,  took,  on  average,  16  working  hours  per 
assessment.  Each  remaining  step  necessary  to  complete  one  draft 
detainee  assessment  took  between  a  few  hours  to  one  week  to 
complete.  In  total,  the  entire  process  to  create  one  detainee 


8730 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


assessment  took  approximately  1  month  and  consisted  of,  on  average, 
80  to  90  working  hours.  The  most  detainee  assessments  created  in  1 
fiscal  year  was  approximately  520. 

Both  Servicemembers  and  civilian  contractors  were 
involved  in  the  above  process  to  create  one  detainee  assessment. 

The  lowest  ranking  Servicemember  involved  in  the  process  was  E-4, 
specialist.  The  lowest  ranking  civilian  contractor  in  this  process 
was  equivalent  to  a  GS-12  employee.  My  rank  when  I  was  involved  in 
creating  detainee  assessments  was  equivalent  to  a  GS-13,  and  my 
lowest  salary  during  this  time  was  approximately  $70,000  per  year. 

I  am  very  familiar  with  what  type  of  intelligence  was 
included  in  detainee  assessments.  Detainee  assessments  include, 
among  other  things,  background  information  on  the  detainee,  details 
of  the  detainee's  capture,  the  detainee's  affiliation  with  terrorist 
organizations,  the  detainee's  recruitment  and  travel,  the  reasons 
for  the  detainee's  transfer  to  JTF-GTMO,  indicators  of  the 
detainee's  threat  level  and  intelligence  value  to  the  United  States 
and  its  allies,  and  the  analysis  of  the  detainee's  threat  level  and 
intelligence  value  to  the  United  States  and  its  allies.  Prosecution 
Exhibit  (PE)  103  for  Identification  is  the  classified  list  of  the 
different  sources  of  classified  intelligence  reporting  from  which  I 
and  the  other  analysts  derived  the  information  used  in  the 
assessments . 


8731 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C  J 


The  background  information  on  the  detainee  included, 
among  other  things,  the  detainee's  biographical  data,  picture,  health 
information,  employment,  religion,  and  family  members  or  relatives 
with  extremist  links.  This  information  was  obtained  from  a  variety 
of  intelligence  sources  and  was  included  in  the  detainee's 
assessment  as  part  of  the  intelligence  analysis  to  determine  the 
detainee's  commitment  to  terrorist  organizations,  which  were 
important  factors  in  determining  the  detainee's  threat  level  and 
intelligence  value  to  the  United  States  and  its  allies.  I 
understand  that  all  of  this  data  would  be  known  to  the  detainee  and 
may  be  known  to  his  --  by  his  associates  listed.  However,  since  we 
do  not  learn  all  of  this  information  from  the  detainee  himself,  the 
detainee  may  not  understand  the  extent  of  what  the  United  States 
knows  about  his  background  information. 

The  detainee's  capture  include  --  the  details  of  the 
detainee's  capture  included,  among  other  things,  how  the  detainee 
became  involved  in  activities  that  led  to  capture;  where,  how,  and 
with  whom  the  detainee  was  captured;  what  the  detainee  was  doing 
when  captured;  events  such  as  engagements  with  United  States 
militaty  forces  that  led  to  the  detainee's  capture;  and  the  date  of 
transfer  to  JTF-GTMO.  This  information  was  obtained  from  a  variety 
of  intelligence  sources  and  was  included  in  the  detainee's 
assessments  as  part  of  the  analysis  to  determine  the  detainee's 


8732 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


affiliation  and  commitment  to  terrorist  organizations,  which  were 
important  factors  in  determining  the  detainee's  threat  level  and 
intelligence  value  to  the  United  States  and  its  allies.  I 
understand  that  most,  if  not  all,  of  this  data  would  be  known  to  the 
detainee  or  may  be  known  by  his  associates.  However,  since  we 
usually  do  not  learn  all  of  this  information  from  the  detainee 
himself,  the  detainee  may  not  understand  the  extent  of  what  the 
United  States  knows  about  the  details  of  his  capture. 

The  detainee's  affiliation  with  terrorist  organizations 
included  individuals  the  detainee  associated  with  at  the  terrorist 
organizations  and  the  detainee's  movements  within  the  terrorist 
organizations.  This  information  was  obtained  from  a  variety  of 
intelligence  sources  and  was  included  in  the  detainee's  assessment  as 
part  of  the  analysis  to  determine  the  detainee's  affiliation  and 
commitment  to  terrorist  organizations,  which  were  important  factors  in 
determining  the  detainee's  threat  level  and  intelligence  value  to  the 
United  States  and  its  allies.  I  understand  all  of  this  information 
would  be  known  to  the  detainee  and  may  be  known  by  his  associates 
listed.  However,  since  we  usually  do  not  learn  all  of  this  information 
from  the  detainee  himself,  the  detainee  may  not  understand  the  extent 
of  what  the  United  States  knows  about  his  affiliation  with  terrorist 
organizations . 


8733 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


O 


PE  103  for  Identification  includes  serialized  intelligence 
reports  to  the  intelligence  community  (IC)  and  intelligence 
information.  The  serialized  intelligence  reports  published  to  the 
IC  include  Items  5,  15  through  19,  30,  31,  34,  and  35  in  PE  103  for 

Identification.  Intelligence  information  is  included  in  all  of  the 
sources  in  PE  103  for  Identification,  except  for  Items  1  ,  20,  27, 
and  28.  Information  can  be  derived  from  all  sources  in  PE  103  for 
Identification  and  included  in  serialized  intelligence  reports 
published  to  the  IC. 

I  am  very  familiar  with  where  the  detainee  assessments 
are  stored.  Detainee  assessments  are  stored  in  three  locations: 

(1)  on  the  shared  drive  at  JTF-GTMO,  which  is  located  on  the  Secure 
Internet  Protocol  Network  [sic]  (SIPRNet) ;  (2)  after  signed  by  the 

Commander,  JTF-GTMO,  on  JDIMS,  which  is  located  on  the  SIPRNet;  and 
(3)  in  a  database  accessible  through  the  JTF-GTMO  Detainee  Assessment 
Branch  Web  site  on  Intellipedia,  which  is  located  on  the  SIPRNet. 
"Intellipedia,  "  which  is  analogous  to  Wikipedia,  is  a  Web  site  on 
the  SIPRNet  that  allows  for  the  sharing  of  intelligence  in  the  IC 
and  to  analysts  on  SIPRNet  and  JWICS. 

In  March  2009  and  in  response  to  a  tasking  from  J-2  at 
JTF-GTMO,  I  created  the  database  accessible  through  JTF-GTMO 
Detainee  Assessment  Branch  Web  site  on  Intellipedia.  It  took  me 
approximately  63  working  hours  to  create  this  database,  which 


8734 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


included  the  time  to  research  the  structure  of  the  write-up 
language,  find  and  update  all  source  documents,  and  link  to  each 
file  —  link  each  file  to  the  correct  detainee.  This  database  stored 
all  detainee  assessments,  which  totaled  more  than  700.  I  have  spent 
approximately  50  additional  hours  updating  and  otherwise  maintaining 
this  database. 

The  filename  for  each  detainee  assessment  in  this 
database  included  the  Internment  Serial  Number  (ISN)  for  the 
particular  detainee,  the  recommendation  for  the  detainee,  and  the 
date  of  the  detainee  assessment.  The  format  of  this  filename  was 
as  follows:  ISN_recommendation  date  —  recommendat ion_date .  The 

filename  was  linked  to  a  unique,  sequential  document  identification 
number  (Document  ID),  which  was  the  particular  detainee 
assessment.  If  a  user  who  accessed  the  database  through  the 
JTF-GTMO  Detainee  Assessment  Branch  Web  site  scrolled  over  a 
filename  with  his  or  her  mouse,  the  document  number  would  appear. 

In  my  capacity  as  the  team  leader  of  the  Detainee 
Assessment  Branch,  I  reviewed  five  detainee  assessments  pertaining 
to  United  States  v.  Private  First  Class  Bradley  Manning,  which  the 
prosecution  provided  to  JTF-GTMO.  These  detainee  assessments  are 
located  in  Appellate  Exhibit  (AE)  501  and  have  Bates  numbers 
00378123-00378140.  PE  95  for  Identification  contains  these  five 
detainee  assessments.  I  am  able  to  identify  these  documents  as 


8735 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


detainee  assessments  based  on  the  format,  letterhead,  and  content 
of  the  documents. 

The  five  detainee  assessments  within  PE  95  for 
Identification  are  all  marked  at  the  top  and  bottom  of  each  page 
Secret.  None  of  the  five  detainee  assessments  within  PE  95  for 
Identification  has  been  made  publicly  available  by  the  United  States 
Government . 

The  five  detainee  assessments  within  PE  95  for 
Identification  identify  activities  related  to  national  preparedness. 
These  documents  include  the  following  matters:  (1)  United  States 

intelligence  relating  to  identified  associates  of  terrorist 
organizations,  to  include  names,  affiliations,  and  whereabouts;  (2) 
United  States  intelligence  relating  to  training  activities  of  those 
terrorist  organizations,  to  include  the  substance  of  such  training; 
(3)  United  States  intelligence  relating  to  the  tactics,  techniques, 
and  procedures  (TTPs)  of  those  organizations,  to  include  details 
relating  to  enemy  movement,  housing  networks,  and  recruiting 
activities;  (4)  United  States  intelligence  relating  to  enemy 
engagement  with  the  United  States  military  forces;  (5)  our 
intelligence  analysis  of  the  detainee's  cooperation  and  credibility, 
which,  if  released,  could  affect  the  subsequent  recruitment  of  the 
detainee  and  the  willingness  of  countries  to  accept  the  departing 
detainee;  (6)  United  States  analysis  of  the  intelligence  value  of 


8736 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


J 


the  detainee,  to  include  any  intelligence  gap  of  the  United  States 
relating  to  members  of  terrorist  organizations,  terrorist  recruiting 
activities,  and  future  operations;  and  (7)  United  States 
intelligence  relating  to  the  detainee's  threat  level  to  the  United 
States  and  its  allies.  I  understand  that  there  are  portions  of  this 
material  that  would  already  be  known  to  the  detainees  or  his 
associates.  However,  neither  the  detainee  nor  his  associate  would 
know  our  analysis  relating  to  the  detainee.  Further,  neither  the 
detainee  nor  his  associate  may  understand  the  extent  of  what  the 
United  States  knows  about  the  detainee.  I  understand  that  the 
detainee,  if  released,  could  share  this  information  known  by  the 
detainee  with  anyone.  Of  that  information  which  we  learned  from  the 
detainee,  I  am  not  aware  of  any  detainee  who  has  shared  all  of  that 
information.  I  also  understand  that  the  associates  of  the  detainee 
could  share  information  relating  to  the  detainee  known  by  an 
associate  —  by  the  associate  with  whomever  they  pleased.  Of  that 
information  relating  to  the  detainee  which  we  learned  from  an 
associate,  I  am  not  aware  of  any  associate  who  has  shared  all  of 
that  information  relating  to  the  detainee. 

I  am  aware  that  there  is  some  information  pertinent  to 
these  documents  available  in  open  source  material.  I  am  also  aware 
of  the  extensive  litigation  that  happens  for  these  detainees  in 
federal  court  and  the  military  commissions.  I  did  not  consider 


8737 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


those  things  when  I  identified  the  sources  of  intelligence  for  the 
above  detainee  assessments,  which  was  the  only  role  I  played  during 
the  classification  review. 

In  October  of  2007,  I  am  aware  that  the  Department  of 
Defense  released  in  the  FOIA  reading  room  the  Combatant  Status 
Review  Tribunals  (CSRT)  and  Administrative  Review  Boards  (ARB) 
documents  held  between  July  2004  and  July  2007 .  The  CSRTs  were  a 
set  of  tribunals  for  confirming  whether  detainees  held  by  the  United 
States  at  Guantanamo  had  been  correctly  designated  as  "enemy 
combatants."  The  ARBs  were  used  to  conduct  an  annual  review  of  the 
detainees  to  review  whether  they  still  represent  a  threat  or  not  to 
the  United  States.  The  released  information  identified  each  detainee 
by  name  and  their  general  background  information  for  those 
individuals  still  held  at  JTF-GTMO  at  this  —  at  that  time. 

Ma ' am,  - 

MJ:  Uh-huh  [affirmative  response] . 

ATC  [CPT  von  ELTEN] :  -  at  this  time  the  United  States  offers 

Prosecution  Exhibit  95  for  Identification  and  Prosecution  Exhibit  103 
for  Identification  into  evidence. 

CDC [MR .  COOMBS]:  No  objection,  ma'am. 

MJ:  May  I  see  them,  please? 

[PE  95  for  ID  and  PE  103  for  ID  were  handed  to  the  military  judge, 
and  the  military  judge  reviewed  the  exhibits . ] 


8738 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


J 


MJ:  All  right.  Prosecution  Exhibits  95  and  103  are  admitted. 

And  just  for  the  record.  Counsel,  I  notice  here  we  have 
the  exhibits  handwritten  in  where  it  looked  like  there  had  been  a 
blank  line.  We  discussed  that  with  earlier  stipulations.  I  believe 
you  came  together  with  the  stipulation,  the  parties  just  weren  t  sure 
what  the  prosecution  exhibit  number  would  be  and  that's  why  it's 
handwritten  in  there;  is  that  true  for  these  stipulations  of  expected 
testimony  too? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

CDC[MR.  COOMBS]:  Yes,  ma'am;  and  we  took  the  additional  step 
that  once  those  were  written  in,  we  had  PFC  Manning  sit  down  with  the 
exhibits  that  were  identified,  and  as  we  worked  through  the 
stipulations,  we  verified  that  the  prosecution  exhibit  that  had  been 
written  in  comported  with  the  surrounding  information  in  the 
stipulation. 

MJ:  All  right,  is  that  true,  PFC  Manning? 

ACC:  Yes,  Your  Honor. 

MJ:  Okay.  And  is  that  going  to  be  the  procedure  for  the  rest 

of  the  stipulations  of  expected  testimony? 

CDC[MR.  COOMBS]:  Yes,  ma'am.  We've  done  that  on  a  few  before, 
like  the  one  that  we're  about  to  read  now,  the  more  complicated  ones, 
but  now,  going  forward,  it's  going  to  be  the  practice  every  time  with 
every  future  stipulation. 


8739 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


9 


MJ:  And  is  that  with  the  concurrence  of  both  sides? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

CDC [MR.  COOMBS]:  Yes. 

MJ:  Okay. 

PFC  Manning,  you  agree  to  this  too? 

ACC:  Yes,  Your  Honor. 

MJ:  All  right,  proceed. 

TC [MAJ  FEIN]:  The  United  States  offers  on  the  record  a 
stipulation  of  expected  testimony,  what  has  been  marked  as 
Prosecution  Exhibit  132,  for  Rear  Admiral  David  Woods,  dated  16  June 
2013;  again.  Prosecution  Exhibit  132. 

It  is  hereby  agreed  by  the  accused,  defense  counsel, 
and  trial  counsel  that  if  Rear  Admiral  (Lower  Half)  David  B.  Woods 
were  present  to  testify  during  the  merits  and  presentencing  phases 
of  this  court-martial,  he  would  testify  substantially  as  follows: 

I  am  a  Rear  Admiral  (Lower  Half)  in  the  United  States 
Navy  with  32  years  of  active  service.  My  current  position  is 
Commander,  Strike  Force  Training  Pacific,  San  Diego,  California.  I 
was  previously  the  Commander,  Joint  Task  Force-Guantanamo  ( JTF-GTMO)  , 
at  Guantanamo  Bay,  Cuba.  I  held  this  position  from  24  August  2011 
through  25  June  2012  and  reported  during  that  time  to  General 
Douglas  Fraser,  Commander,  United  States  Southern  Command 
(USSOUTHCOM) .  My  time  as  Commander,  JTF-GTMO  was  my  fifth  command 


8740 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


O 


tour  as  an  original  classification  authority  (OCA) .  I  graduated 
from  the  United  States  Naval  Academy  in  1981  and  was  designated  as  a 
naval  flight  officer  in  1983.  I  also  received  a  master's  degree  in 
National  Security  and  Strategic  Studies  from  the  Naval  War  College 
in  1997. 

As  a  U.S.  Navy  captain,  I  served  as  the  commander  of 
Carrier  Wing  (CVD)  —  excuse  me,  Your  Honor  —  (CVW)  11  and  deployed 
twice  in  support  of  Operations  Enduring  Freedom  and  Iraqi  Freedom 
aboard  the  USS  Nimitz.  Additionally,  as  part  of  a  joint  assignment, 

I  was  the  Commander  of  Joint  Crew  Composite  Squadron  One.  Our 
squadron  was  responsible  for  the  Multi-National  Corps-Iraq  electronic 
warfare  fight  against  improvised  explosive  devices.  After  my 
promotion,  I  served  as  the  Director,  Strategy  and  Policy  Division, 
Chief  of  Naval  Operations  for  Operations,  Plans  and  Strategy  (N3/N5) 
before  taking  command  of  JTF-GTMO. 

As  Commander,  JTF-GTMO,  I  was  an  OCA.  My 
responsibilities  in  that  position  included  the  review  of  JTF-GTMO 
information  for  classification  purposes  pursuant  to  Executive  Order 
(EO)  13526,  the  Classified  National  Security  Information,  and  its 
predecessor  orders.  Prior  to  this  position,  I  was  an  OCA  while 
serving  in  the  following  positions:  (1)  05  Squadron  Commander, 

VAQ-131,  1998  to  2000;  (2)  Training  Squadron  Commanding  Officer, 

VAQ-129,  2002  to  2004;  (3)  Air  Wing  Commander,  CVW  11,  USS  Nimitz, 


8741 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


2005  to  2007;  and  (4)  Commander  of  Joint  Crew  Composite  Squadron  One 
in  Iraq,  2007  to  2008.  At  all  times  I  served  as  an  OCA,  I  received 
annual  training  consistent  with  EO  13526  or  previous  guidance. 

Information  that  requires  protection  in  the  interest  of 
national  security  of  the  United  States  is  designated  classified 
national  security  information  under  Executive  Order  (EO)  13526, 
Classified  National  Security  Information,  signed  by  President  Obama 
on  December  29th,  2009.  Information  is  classified  in  levels 
commensurate  with  the  assessment  that  its  unauthorized  disclosure 
reasonably  could  be  expected  to  cause  the  following  damage  to 
national  security: 

"Top  Secret  information"  is  information  that  could  cause 
exceptionally  grave  damage  to  national  security;  " Secret 
information"  is  information  that  could  cause  serious  damage  to 
national  security;  and  "Confidential"  information  is  information 
that  could  cause  damage  to  national  security. 

Unclassified  information  does  not  require  a  security 
clearance  for  access,  but  nonetheless  may  be  of  a  sensitive  nature. 
The  current  basis  for  classification  of  national  security 
information  is  found  in  EO  13526.  Section  1.3  of  EO  13526 
authorizes  an  OCA,  such  as  me  when  I  was  Commander,  JTF-GTMO,  to 
classified  [sic]  information  owned,  produced,  or  controlled  by  the 
United  States  Government  if  it  falls  within  certain  classification 


8742 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


categories.  One  such  category  found  at  Section  1.4(c)  of  EO  13526 
concerns  information  that  pertains  to  intelligence  activities 
(including  special  activities) ,  intelligence  sources  or  methods,  or 
cryptology. 

I  reviewed  five  charged  documents  from  the  United  States 
Southern  Command  and  JTF-GTMO  database.  Bates  numbers 
00378123-00378140,  contained  within  Appellate  Exhibit  501,  and  made 
the  below  determinations  with  respect  to  those  documents. 

First,  all  five  documents  were  properly  marked  at  the 
"Secret"  classification  level. 

Second,  disclosure  of  the  information  identified  in  the 
five  documents  reasonably  could  be  expected  to  cause  serious  damage 
to  the  national  security  of  the  United  States.  In  making  this 
statement  regarding  the  classification  of  information  in  this  case,  I 
replied  —  I  relied  upon  my  personal  knowledge  and  experience;  the 
information  made  available  to  me  in  my  official  capacity;  the  advice 
I  received  from  my  staff  and  their  conclusions  reached. 

Third,  in  the  first  half  of  2010  and  at  the  time  of  the 
disclosures,  the  five  documents  were  classified  pursuant  to  Section 
1.4(c)  of  EO  13526  because  they  contained  information  concerning 
intelligence  sources  and  methods,  and  information  that,  if  released, 
could  cause  serious  damage  to  national  security.  This  information 
was  classified  at  the  Secret  level. 


8743 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


O 


Fourth,  the  five  documents  contained  intelligence  data 
compiled  about  detainees  or  summaries  of  such  data.  Intelligence 
data  included  a  description  of  the  detainee's  biographical 
information,  the  circumstances  of  his  capture,  what  he  had  in  his 
possession  when  he  was  captured,  the  circumstances  and  date  of  his 
transfer  to  Guantanamo,  his  travel,  his  affiliations  with  individuals 
and  organizations  of  intelligence  interest,  and  his  activities  in 
support  of  those  organizations.  All  of  this  information  would  be 
known  to  the  individual  detainee.  The  intelligence  data  also 
included  information  about  other  persons  and  organizations.  I 
determined  that  the  intelligence  data  contained  in  the  documents 
reveal  details  about  intelligence  we  have  gleaned  regarding 
individuals  and  organizations  of  intelligence  interest. 

Additionally,  this  information  revealed  the  sources  of 
our  intelligence,  as  well  as  the  methods  and  approaches  for 
collecting  intelligence.  At  the  time  of  their  creation,  the 
documents  and  intelligence  data  contained  in  them  were  classified  at 
the  Secret  level  through  the  action  of  the  Commander,  JTF-GTMO,  and 
remained  classified  at  the  Secret  level  in  the  first  half  of  2010 
and  at  the  time  of  their  disclosure. 

Fifth,  I  determined  that  the  documents  and  information 
remained  properly  classified  after  their  creation  and  that  their 
release  reasonably  could  be  expected  to  cause  serious  damage  to  the 


8744 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


Q 


national  security  because  it  would  reveal  information  concerning 
intelligence  sources,  the  specific  information  obtained  from  such 
sources,  or  both.  Accordingly,  this  information  was  properly 
classified  at  the  Secret  level  pursuant  to  Section  1.4(c)  of  EO 
13526. 

I  am  aware  that  there  may  have  been  information  pertinent 
to  the  documents  available  in  open  source  material.  I  did  not  use 
this  material  or  its  publicly  available  status  in  making 
classification  determinations.  If  there  was  information  that  had 
been  previously  released  under  the  authority  of  the  United  States 
Government,  I  would  consider  the  authorized  release  of  information  by 
the  United  States  Government  as  part  of  my  review  of  the 
classification  of  the  entire  document.  I  am  aware  of  the  exist  — 
extensive  litigation  that  happens  for  these  detainees  in  federal 
court  and  the  military  commissions.  Those  cases  did  not  affect  the 
classification  review  for  these  documents. 

In  October  of  2007,  I  was  aware  that  the  Department  of 
Defense  released  in  the  FOIA  reading  room  for  the  Combatant  Status 
Review  Tribunals  (CSRT)  and  the  Administrative  Review  Boards  (ARB) 
documents  held  between  July  2004  and  July  2007.  The  CSRTs  were  a 
set  of  tribunals  for  confirming  whether  detainees  held  by  the  United 
States  at  Guantanamo  had  been  correctly  designated  as  "enemy 
combatants."  The  ARBs  were  used  to  conduct  an  annual  review  of  the 


8745 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


detainees  to  review  whether  they  still  represent  a  threat  or  not  to 
the  United  States.  The  released  information  identified  each  detainee 
by  name  and  the  general  background  information  for  those  individuals 
still  held  at  JTF-GTMO  at  the  time. 

Prosecution  Exhibit  95  for  Identification  are  those  five 
documents  I  described  above. 

ATC [CPT  MORROW]:  Your  Honor,  the  prosecution  offers  the 
stipulation  of  expected  testimony  for  Louis  Travieso,  Prosecution 
Exhibit  118bravo. 

MJ:  All  right,  proceed. 

ATC [CPT  MORROW]:  It  is  hereby  agreed  by  the  accused,  defense 
counsel,  and  trial  counsel  that  if  Louis  Travieso  were  present  to 
testify  during  the  merits  and  presentencing  phases  of  this 
court-martial,  he  would  testify  substantially  as  follows: 

I,  Louis  Travieso,  am  a  former  noncommissioned  officer  in 
the  United  States  Army.  I  served  4  years  in  the  military 
occupational  specialty  (MOS)  of  13Fox.  The  Defense  Intelligence 
Agency  (DIA)  recruited  me  to  become  an  intelligence  officer 
immediately  after  completing  my  service  in  the  Army.  I  became  an 
intelligence  officer  for  DIA  in  2006.  In  2010  while  serving  as  a  DIA 
intelligence  officer,  I  received  a  bachelor  of  arts  in  criminology 
from  Saint  Leo  University.  In  2012,  I  received  a  master's  in 
business  administration  from  Saint  Leo  University. 


8746 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Currently,  I  work  at  MacDill  Air  Force  Base  as  a  DIA 
intelligence  officer  at  the  United  States  Central  Command  (USCENTCOM) 
headquarters.  In  addition  to  being  an  intelligence  officer,  I  am  the 
lead  plans  officer  for  certain  countries.  I  have  been  the  lead  plans 
officer  since  2011.  I  work  within  the  Targeting  and  Geospatial 
Readiness  Department,  which  is  within  the  Combat  Readiness  Branch  at 
CENTCOM  headquarters.  The  mission  of  the  department  is  to  gather 
targeting  and  geospatial  data  and  assembling  it  into  a  comprehensive 
picture  for  the  commander. 

As  the  lead  plans  officer  for  certain  countries  and  a  DIA 
intelligence  officer,  I  lead  all  intelligence  support  for  my  section 
by  meeting  with  planners,  obtaining  systems  requirements,  assuring 
the  requirements  are  met,  and  ensuring  that  the  Joint  Information 
Center  (JIC)  is  supported  by  providing  a  comprehensive  picture  from 
the  relevant  targeting  and  geospatial  systems.  This  work  supports 
the  JIC's  mission  to  provide  direct  intelligence  to  all  forces 
assigned  to  the  Commander,  USCENTCOM.  I  work  with  classified 
information  daily  in  all  of  these  tasks. 

Previously,  I  worked  as  an  Information  Review  [sic] 
Specialist  with  DIA  from  2006  until  2011.  As  the  Information  Release 
Specialist,  I  processed  information  for  declassification.  I  was  the 
subject  matter  expert  responsible  for  determining  whether  J-2  still 
possessed  classified  equities.  In  that  position,  I  worked  with 


8747 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


9 


classified  documentation  and  reviews  for  classification  daily. 
Currently,  I  still  support  information  release  work  and  am  consulted 
on  occasion  regarding  declassification. 

I  first  gained  familiarity  with  this  above-captioned  case 
when  I  supported  the  Information  Review  Task  Force  (IRTF) .  I 
supported  the  IRTF  by  making  available  the  JIC's  expertise,  analysis, 
and  information  collection  management  to  other  agencies  participating 
in  the  IRTF. 

I  was  tasked  to  this  case  through  CENTCOM's  tasking 
management  tool.  The  tool  sent  the  task  requirement  to  J-2,  and  then 
J-2  assigned  me. 

After  receiving  the  assignment,  I  began  conducting  a 
line-by-line  review  of  the  provided  documents,  which  included,  among 
others,  documents  from  the  Combined  Information  Data  Exchange 
(CIDNE) -Iraq,  CIDNE-Afghanistan,  and  documents  related  to  the  AR  15-6 
of  the  Farah  civilian  casualties  incident.  I  reviewed  the  documents 
for  J-2  equities,  such  as  intelligence  sources  and  methods,  military 
operations,  or  system  cap  —  systems  capabilities.  During  the 
review,  I  coordinated  equities  with  the  relevant  agencies. 

To  determine  classification,  I  applied  the  CENTCOM 
classification  guide  appropriate  to  the  time  of  the  document.  I 
reviewed  each  document  at  the  time  of  its  origin  and  at  the  time  of 
its  compromise.  Everything  I  reviewed  was  at  the  Secret  level. 


8748 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


Furthermore,  Classified  Document  was  marked  "Secret"  on 
the  top  and  bottom  of  each  page.  As  an  information  release 
specialist  and  lead  plans  officer  for  my  section,  I  frequently  handle 
classified  documents  like  Classified  Document.  This  document  is  only 
found  on  SIPRNet  or  a  higher  classified  network  because  it  is 
classified.  Classified  documents,  like  Classified  Document,  are 
marked  with  the  appropriate  classification  on  the  top  and  the  bottom 
of  the  page.  These  markings  put  the  reader  on  notice  that  the 
information  is  classified  and  should  be  handled  accordingly. 
Furthermore,  the  paragraphs  in  a  classified  document  are 
portion-marked,  which  also  puts  the  reader  on  notice  of  the  specific 
classification  for  that  section. 

Classified  documents  and  documents  marked  as  classified 
must  be  handled  in  accordance  with  the  rules  set  forth  in  Executive 
Order  13526  and  previously  in  Executive  Order  12958.  I  am  familiar 
with  these  executive  orders  because  I  have  been  working  under  the 
guidelines  set  forth  therein  during  my  entire  professional  career  as 
a  DIA  intelligence  officer. 

And  for  the  record.  Your  Honor,  the  United  States  did  not 
read  paragraph  9  of  this  prosecution  exhibit. 

MJ:  All  right. 


8749 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


ATC [CPT  MORROW]:  Your  Honor,  the  United  States  offers 
Prosecution  Exhibit  134,  which  is  the  stipulation  of  expected 
testimony  of  Vice  Admiral  Robert  S.  Harward,  dated  17  June  2013. 

MJ:  Proceed. 

ATC [CPT  MORROW]:  It  is  hereby  agreed  by  the  accused,  defense 
counsel,  and  trial  counsel,  that  if  Vice  Admiral  Robert  S.  Harward, 
Jr.,  were  present  to  testify  during  the  merits  and  presentencing 
phases  of  this  court-martial,  he  would  testify  substantially  as 
follows : 

I  am  a  Vice  Admiral  in  the  United  States  Navy  with  32 
years  of  active  service.  I  currently  serve  as  Deputy  Commander, 
United  States  Central  Command  (USCENTCOM) ,  at  MacDill  Air  Force  Base. 

I  began  my  career  as  a  surface  warfare  officer  aboard  the 
destroyer  USS  Scott  (DDG  995),  and  then  transferred  to  the  Naval 
Special  Warfare  community.  I  was  the  "Honor  Man"  of  Basic  Underwater 
Demolition  (BUD) /Sea,  Air,  Land  (SEAL)  class  128,  and  I  have  served 
in  both  East  and  West  coast  SEAL  teams. 

My  tours  in  the  Naval  Special  Warfare  community  include: 
commander,  SEAL  Team  Three;  assault  team  leader  and  operations 
officer  at  Naval  Special  Warfare  Development  Group;  SEAL  plans 
officer  for  Commander,  Amphibious  Force,  U.S.  Fleet  —  U.S.  7th 
Fleet;  executive  offer  —  executive  officer.  Naval  Special  Warfare 
Unit  One;  aide-de-camp  to  Commander,  U.S.  Special  Forces  —  or 


8750 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


Special  Operations  Command;  Combined  Joint  Special  Operations  Task 
Force  (CJSOTF)  deputy  commander  in  Bosnia;  deputy  commander.  Special 
Operations  Command,  Pacific;  commander.  Naval  Special  Warfare  Group 
One;  and  deputy  commanding  general.  Joint  Special  Operations  Command. 

My  additional  assignments  include  a  tour  in  the  Executive 
Office  of  the  President  at  the  White  House,  where  I  served  on  the 
National  Security  Council  as  the  director  of  Strategy  and  Policy  for 
the  Office  of  Combating  Terrorism.  My  first  flag  assignment  was 
chairman  of  the  Joint  Chiefs  of  Staff  representative  to  the  National 
Counterterrorism  Center  (NCTC) ,  as  a  member  of  the  Senior  Interagency 
Strategy  Group.  Additionally,  I  served  as  deputy  commander,  U.S. 
Joint  Forces  Command,  and  most  recent  —  most  recently  I  served  as 
commander  of  Combined  Joint  Interagency  Task  Force  (CJIATF)  435  from 
2009  to  2011  in  Afghanistan.  CJIATF  is  the  task  force  dedicated  to 
detainee  operations  in  Afghanistan.  I  have  commanded  troops  in 
Afghanistan  and  Iraq  over  6  years  since  September  11th,  2001. 

I  have  been  the  deputy  commander,  USCENTCOM,  since 
11  July  2011.  My  responsibilities  include  exercising  Top  Secret  and 
below  original  classification  authority,  which  includes  rendering  a 
determination  of  CENTCOM-generated  information  for  classification 
purposes  pursuant  to  a  written  delegation  from  the  Deputy  Secretary 
of  Defense  and  under  the  authority  of  Executive  Order  (EO)  13526. 

Per  EO  13526,  Section  1.3,  the  authority  to  classify  information 


8751 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


O 


originally  may  be  exercised  only  by  an  OCA  and  must  be  delegated  by 
the  President,  the  Vice  President,  or  an  agency  head  or  designated 
official . 

Information  which  requires  protection  in  the  interest  of 
the  national  security  of  the  United  States  is  designated  classified 
national  security  information  per  EO  13526,  Classified  National 
Security  Information,  signed  by  President  Barack  H.  Obama  on 
29  December  2009;  and  for  information  classified  prior  to  June  27, 
2010,  according  to  EO  12958  signed  by  President  William  J.  Clinton  on 
April  17th,  1995,  as  amended  by  President  George  W.  Bush  on  March 
25th,  2003. 

Information  is  classified  in  levels  commensurate  with  the 
assessment  that  an  unauthorized  disclosure  could  cause  the  following 
expected  damage  to  national  security:  For  exceptionally  grave  damage 
to  national  security:  Top  Secret;  for  serious  damage  to  national 
security:  Secret;  and  for  damage  to  national  security: 

Confidential . 

Within  USCENTCOM,  classified  information  is  handled  and 
protected  in  accordance  with  Executive  Order  13526,  and  predecessor 
orders,  on  Classified  National  Security  Information. 

In  total,  four  categories  of  classified  information,  as 
identified  in  EO  13526  and  its  predecessor  EOs,  were  included  in  the 
documents  I  reviewed.  Because  the  mission  of  USCENTCOM  encompasses 


8752 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


9 


the  conduct  of  military  operations,  USCENTCOM  relies  primarily  upon 
two  classification  categories  when  protecting  national  security 
information,  which  are  identified  in  Section  1.4  of  EO  13526  as 
1.4 (alpha),  military  plans,  weapons  systems,  or  operations,  and 
1 . 4 (charlie) ,  intelligence  activities,  including  covert  action; 
intelligence  sources  or  methods;  or  cryptology. 

Classified  information  should  be  handled  and  examined 
only  under  such  conditions  —  only  under  such  conditions  as  are 
adequate  to  prevent  unauthorized  persons  from  gaining  access. 
Classified  material  may  not  be  removed  from  designated  work  areas  or 
moved  from  information  systems,  e.g.,  classified  databases,  computer 
networks,  servers,  or  computers,  except  in  the  performance  of 
official  duties  and  under  special  conditions  which  provide  protection 
for  the  classified  material. 

I  have  reviewed  the  104  charged  USCENTCOM  documents 
related  to  this  case.  The  charged  documents  are  categorized  as 
follows : 

Over  380,000  documents  were  taken  from  the  Combined 
Information  Data  Network  Exchange  (CIDNE)-Iraq  database.  I  reviewed 
the  53  charged  documents  from  the  CIDNE-Iraq  database  contained  in 
Appellate  Exhibit  (AE)  501  and  Prosecution  Exhibit  (PE)  88. 


8753 


1 

2 

3 

4 

5 

6 

7. 

'8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


c 


9 


Over  90,000  documents  were  taken  from  the 
CIDNE-Afghanistan  database.  I  reviewed  the  37  charged  documents  from 
the  CIDNE-Afghanistan  database  contained  in  AE  501  and  PE  89. 

I  reviewed  the  14  charged  documents  related  to  the  Farah 
investigation  contained  in  AE  501  and  PE  90. 

I  reviewed  the  charged  file  named  "BE22  PAX. zip" 
containing  the  video  named  "BE22  PAX.wmv"  (Gharani  video)  contained 
in  Prosecution  Exhibit  (PE)  66. 

This  material  was  staffed  through  the  following  USCENTCOM 
Directorates:  Intelligence  (J-2),  Operations  ( J-3) ,  and  the 

Strategy,  Plans,  and  Policy  ( J— 5) .  The  results  of  this  staffing  are 
PE  86,  PE  87,  and  PE  133  for  Identification,  and  these  documents  were 
provided  to  me  and  consolidated.  In  consultation  with  the  subject 
matter  experts  identified  above,  as  an  OCA  I  determined  the  following 
for  each  category: 

For  each  of  the  53  CIDNE-Iraq  documents  in  PE  88,  I  found 
the  following: 

First,  all  53  documents  were  properly  marked  at  the 
Secret  level  and  based  on  actual  events. 

Second,  disclosure  of  the  information  identified  in  the 
53  documents  reasonably  could  be  expected  to  cause  serious  damage  to 
the  national  security  of  the  United  States.  In  making  this 
determination  regarding  the  classification  of  information  in  this 


8754 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


o 


o 


case,  I  rely  upon  my  personal  knowledge  and  experience,  the 
information  made  available  to  me  in  my  official  capacity,  and  the 
advice  and  recommendations  received  from  the  subject  matter  experts 
who  also  reviewed  the  documents.  I  am  aware  that  there  may  have  been 
some  information  pertinent  to  some  of  these  documents  available  in 
open  source  material.  I  did  not  use  this  material  or  its  publicly 
available  status  in  making  classification  determinations.  If  I  had 
been  aware  of  information  that  had  been  previously  released  under  the 
authority  of  the  United  States  Government,  I  would  have  considered 
the  authorized  release  of  information  by  the  United  States  Government 
as  part  of  my  review  of  the  classification  of  that  information. 

Third,  the  53  documents  and  the  information  contained  in 
them  were  classified  at  the  Secret  level  at  the  time  of  their 
creation  and  remained  classified  at  the  Secret  level  in  the  first 
half  of  2010  and  at  the  time  of  their  disclosure.  These  documents 
were  properly  classified  at  the  time  they  were  generated  and  remained 
classified  in  the  first  half  of  2010  pursuant  to  Section  1.4 (alpha) 
and  (Charlie)  of  Executive  Order  13526,  or  its  predecessor  EOs, 
because  they  contained  information  that,  if  released,  could  cause 
serious  damage  to  national  security. 

For  each  of  the  37  CIDNE-Af ghanistan  documents  in  PE  89, 

I  found  the  following: 


8755 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17- 

18 

19 

20 

21 

22 

23 


© 


J 


First,  all  37  documents  were  properly  marked  at  the 
Secret  level  and  based  on  actual  events. 

Second,  disclosure  of  the  information  identified  in  the 
37  documents  reasonably  could  be  expected  to  cause  serious  damage  to 
the  national  security  of  the  United  States.  In  making  this 
determination  regarding  the  classification  of  information  in  this 
case,  I  rely  upon  my  personal  knowledge  and  experience,  the 
information  made  available  to  me  in  my  official  capacity,  and  the 
advice  and  recommendations  received  from  the  subject  matter  experts 
who  also  reviewed  the  documents.  I  am  aware  that  there  may  have  been 
some  information  pertinent  to  some  of  these  documents  available  in 
open  source  material.  I  did  not  use  this  information,  this  material, 
or  its  publicly  available  status  in  making  classification 
determinations.  If  I  had  been  aware  of  information  that  had  been 
previously  released  under  the  authority  of  the  United  States 
Government,  I  would  have  considered  the  authorized  release  of 
information  by  the  United  States  Government  as  part  of  my  review  of 
the  classification  of  that  information. 

Third,  the  37  documents  and  the  information  contained  in 
them  were  classified  at  the  Secret  level  at  the  time  of  their 
creation  and  remained  classified  at  the  Secret  level  in  the  first 
half  of  2010  and  at  the  time  of  their  disclosure.  These  documents 
were  properly  classified  at  the  time  they  were  generated  and  remained 


8756 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


classified  in  the  first  half  of  2010  pursuant  to  Section  1.4 (alpha) 
and  (charlie)  of  EO  13526,  or  its  predecessor  EOs,  because  they 
contained  information  that,  if  released,  could  cause  serious  damage 
to  national  security. 

For  each  of  the  14  Farah  investigation  documents  in 
PE  90,  I  found  the  following: 

First,  all  14  documents  were  properly  marked  at  the 
Secret  level  and  based  on  actual  events. 

Second,  disclosure  of  the  information  identified  in  the 
14  documents  reasonably  could  be  expected  to  cause  serious  damage  to 
the  national  security  of  the  United  States.  In  making  this  statement 
regarding  the  classification  of  information  in  this  case,  I  rely  upon 
my  personal  knowledge  and  experience,  the  information  made  available 
to  me  in  my  official  capacity,  and  the  advice  and  recommendations 
received  from  the  subject  matter  experts  who  also  reviewed  the 
documents.  I  am  aware  that  there  may  have  been  some  information 
pertinent  to  some  of  these  documents  available  in  open  source 
material.  I  did  not  use  this  material  or  its  publicly  available 
status  in  making  classification  determinations.  If  I  had  been  aware 
of  information  that  had  been  previously  released  under  the  authority 
of  the  United  States  Government,  I  would  have  considered  the 
authorized  release  of  information  by  the  United  States  Government  as 
part  of  my  review  of  the  classification  of  that  information. 


8757 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


Third,  the  14  documents  and  the  information  contained  in 
them  were  classified  at  the  Secret  level  at  the  time  of  their 
creation  and  remained  classified  at  the  Secret  level  in  the  first 
half  of  2010  and  at  the  time  of  their  disclosure.  These  documents 
were  classified  pursuant  to  Section  1.4 (alpha)  and  (charlie)  of 
Executive  Order  13526,  or  its  predecessor  EOs,  because  they  contained 
information  that,  if  released,  could  cause  serious  damage  to  national 
security. 

For  the  Gharani  video  in  PE  66,  I  found  the  following: 

First,  the  Gharani  video  was  only  located  on  the  SIPRNet 
because  it  was  classified  at  the  Secret  level. 

Second,  disclosure  of  the  information  identified  in  the 
video  reasonably  could  be  expected  to  cause  serious  damage  to  the 
national  security  of  the  United  States.  In  making  this  statement 
regarding  the  classification  of  information  in  this  case,  I  rely  upon 
personal  knowledge  —  my  personal  knowledge  and  experience,  the 
information  made  available  to  me  in  my  official  capacity,  and  the 
advice  and  recommendations  received  from  the  subject  matter  experts 
who  also  reviewed  the  video.  I  am  aware  that  there  may  have  been 
some  information  pertinent  to  this  video  available  in  open  source 
material.  I  did  not  use  this  material  or  its  publicly  available 
status  in  making  classification  determinations.  If  I  had  been  aware 
of  information  that  had  been  previously  released  under  the  authority 


8758 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


e 


j 


of  the  United  States  Government,  I  would  have  considered  the 
authorized  release  of  information  by  the  United  States  Government  as 
part  of  my  review  of  the  classification  of  the  video. 

Third,  the  video  and  the  information  contained  within  was 
classified  at  the  Secret  level  at  the  time  of  its  creation  and 
remained  classified  at  the  Secret  level  in  the  first  half  of  2010  and 
at  the  time  of  its  disclosure.  This  video  was  classified  pursuant  to 
Section  1.4 (alpha)  and  (charlie)  of  EO  13526,  or  its  predecessor  EOs, 
because  it  contained  information  that,  if  released,  could  cause 
serious  damage  to  national  security. 

MJ:  Thank  you. 

TC [MAJ  FEIN]:  Your  Honor,  the  United  States  offers  to  be  read 
on  the  record  Prosecution  Exhibit  135alpha,  the  stipulation  of 
expected  testimony  for  Ms.  Cathryn  Strobl,  dated  16  June  2013. 

MJ:  I  notice  here  the  —  my  copy  doesn't  have  a  date.  Does 

the  court's  copy  —  did  the  court  copy? 

[Pause] 

ADC [MAJ  HURLEY]:  Ma'am,  it's  been  the  practice  that  the  defense 
has  dated  them,  and  the  defense  counsel  and  PFC  Manning  that  they 
could  —  we  would  put  on  there  that  we  actually  signed  it  --  we 
signed  it  yesterday,  so  17  June  is  the  appropriate  date. 

MJ:  17  June  and  is  that  on  the  original  court  - 

TC [MAJ  FEIN]:  16  June,  yesterday,  ma'am. 


8759 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


ADC [MAJ  HURLEY]:  Well,  I'm  disoriented.  16  June  from 
yesterday.  My  apologies.  Sunday  - 

MJ:  And  - 

ADC [MAJ  HURLEY]:  -  is  the  day  we  signed  it. 

TC [MAJ  FEIN]:  Ma'am,  the  original  is  dated  16  June. 

MJ:  All  right,  now  what  about  the  classified  version? 

[Pause] 

TC [MAJ  FEIN]:  The  original  classified  version.  Your  Honor,  is 
also  Prosecution  Exhibit  135bravo,  dated  16  June. 

MJ:  Thank  you. 

TC [MAJ  FEIN]:  Your  Honor,  it  is  here  —  hereby  agreed  by  the 

accused,  defense  counsel,  and  trial  counsel  that  if  Ms.  Cathryn 
Strobl  were  present  to  testify  during  the  merits  and  presentencing 
phases  of  this  court-martial,  she  would  testify  substantially  as 
follows : 

I  am  currently  employed  as  a  contractor  with  the  Central 
Intelligence  Agency  (CIA) .  I  am  a  software  developer  and  I  worked  on 
the  contract  for  the  CIA's  World  Intelligence  Review  (WIRe)  and  its 
predecessor  program  from  approximately  2005  through  2012.  At 
present,  I  work  as  a  software  developer  for  another  disseminated 
intelligence  program.  I  hold  a  bachelor's  degree  in  Spanish  from  the 
University  of  Mary  Washington,  a  juris  doctor  from  the  University  of 
North  Carolina  at  Chapel  Hill,  a  master's  of  business  administration 


8760 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


O 


from  the  University  of  North  Carolina  at  Greensboro,  and  a  computer 
science  certificate  from  North  Carolina  State  University.  I  have 
been  working  in  the  information  technology  field  since  1997,  when  I 
began  working  in  database  administration  at  the  University  of  North 
Carolina  hospitals.  Since  that  time,  I  have  participated  in  working 
in  multiple  training  courses  specific  to  database  administration,  Web 
development,  and  system  administration,  including  training  geared 
towards  the  tools  used  to  develop,  administer,  and  maintain  an 
enterprise  application. 

WIRe  is  a  Web  site  controlled  by  the  CIA  and  located  on 
the  SIPRNet  that  allows  a  user,  once  authenticated,  to  conduct 
searches  of  various  files  created  by  the  CIA  and  other  organizations. 
The  —  that  authentication  is  performed  by  means  of  an  Intelink 
Passport  user  account.  To  apply  for  an  Intelink  Passport  account,  a 
user  has  to  enter  their  personal  information  on  the  Intelink  site  on 
SIPRNet. 

In  approximately  May  2010,  I  was  asked  to  pull  any  user 
information  for  Bradley  Manning,  as  well  as  audit  log  for  the  date 
range  October  of  2009  to  May  2010  from  the  sending  IP  addresses  of 
22.225.41.22  and  22.225.41.40.  At  that  time,  an  Intelink  Passport 
account  was  required  in  order  to  access  all  information  on  the  WIRe, 
except  for  leadership  profiles.  Under  certain  circumstances  if  a 
user  clicked  on  a  leadership  profile,  the  user  ID  would  not  be 


8761 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


o 


logged.  When  the  user  ID  was  logged,  the  WIRe  system  created 
numerous  types  of  logs.  In  this  case,  I  pulled  all  three  types  of 
logs:  production  logs,  http  logs,  and  SQL  logs.  The  logs  represent 

the  same  information  but  they  do  not  —  they  do  so  with  different 
data  and  different  formats.  The  application  logs  show  requests  at 
the  application  level.  The  http  logs  show  all  requests  going  in  and 
out  of  the  Web  server.  The  SQL  log  show  the  titles  of  the  documents 
with  their  document  numbers  as  reflected  in  the  database.  The  SQL 
logs  correspond  with  the  http  logs  in  that  they  show  the  actual  name 
of  the  document  numbers  recorded  in  the  http  logs.  I  pulled  these 
logs  to  paint  a  fuller  picture  of  the  activity. 

I  pulled  these  logs  by  writing  queries  and  running  those 
queries.  I  applied  SQL  queries  to  the  database  and  UNIX  commands  to 
the  Web  and  application  logs.  "SQL"  is  a  structural  query  language 
for  interacting  with  databases.  In  other  words,  it  is  a  tool  used  to 
perform  inquires  and  pull  data  from  databases.  In  order  to 
accomplish  the  SQL  query,  I  went  to  the  command  prompt  screen,  typed 
in  the  query,  hit  enter,  and  the  computer  generated  the  logs.  The 
SQL  queries  I  used  pulled  the  logs  and  put  them  into  text  output.  I 
then  saved  the  logs  as  well  as  the  SQL  query  I  used  to  pull  those 
logs.  "UNIX"  is  an  operating  system  that  comes  in  several  variants, 
often  called  "flavors."  For  purposes  of  the  queries  described  below, 
I  used  the  "flavor"  Solaris.  To  execute  commands  to  cull  the  Web  and 


8762 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


application  logs  on  Solaris,  I  drafted  and  typed  into  the  command 
prompt  queries  that  contained  the  specific  user  ID,  IP  addresses,  and 
dates  I  was  asked  to  review.  In  response  to  those  queries,  Solaris 
generated  logs  of  user  activity.  These  logs  are  identified  using  the 
original  log  names  plus  the  suffix  ".culled"  as  see  below.  In  sum, 
by  these  queries  I  asked  the  system  to  pull  the  pertinent  audit 
events  by  the  user  "bradley. e. manning"  and/or  the  IP  addresses 
22.225.41.22  and  22.225.41.40  and/or  time/date  group  of  October  2009 
to  May  2010. 

I  pulled  the  http  logs,  which  log  all  activity  going  in 
and  out  of  the  Web  server,  by  IP  address  and  time  and  date  group. 
Specifically,  I  pulled  the  http  logs  for  the  IP  addresses 
22.225.41.22  and  22.225.41.40  between  October  2009  and  May  2010.  The 
results  are  contained  in  the  following  files.  Excuse  me.  Your  Honor 
[pause].  ciware  —  ciawire-production. httpd. log. 2010-02-20 . culled; 
ciawire-production. httpd. log. 2010-02-21 . culled; 
ciawire-production. httpd. log. 2010-02-23 . culled; 
ciawire-production. httpd. log. 2010-02-24 . culled; 
ciawire-production. httpd. log. 2010-02-25 . culled; 
ciawire-production. httpd. log . 2010-02-27 . culled; 

ciawire-production. httpd. log . 2010-03-01 . culled  - 

MJ:  Major  Fein,  can  I  stop  you  for  just  a  minute.  All  of 

these  - 


8763 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


© 


J 


TC [MAJ  FEIN] :  Yes. 

MJ:  -  lists  that  you're  listing  reading  down  can  —  is  it 

correct  that  each  one  of  the  entries  would  say  "ciawire- 
production.httpd.log"  and  then  it  would  have  followed  by  a  date 

and  end  with  ".culled"? 

TC [MAJ  FEIN]:  Yes,  ma'am.  In  fact,  the  same  year,  so  it's 

".2010-"  and  then  it  is  a  two-numbered  —  two  - 

MJ:  Then  why  don't  we  just  read  the  —  you  can  start  — 

they're  all  "2010";  just  read  the  month  and  the  day. 

TC [MAJ  FEIN]:  Thank  you,  ma'am. 

03-02. culled;  03-04 . culled;  03-08 . culled;  03-09 . culled; 
03-11. culled;  03-12 . culled;  03-15 . culled;  03-19 . culled;  03-20 . culled; 
03-21. culled;  03-22 . culled;  03-23 . culled;  03-24 . culled;  03-25 . culled; 
03-27. culled;  03-28 . culled;  03-29 . culled;  03-30 . culled;  04-03 . culled; 
04-08 . culled;  and  04-27 . culled. 

The  entry  "22.225.41.22"  is  the  sending  IP  address.  This 
address  indicates  the  IP  address  of  the  computer  that  is  requesting 
the  information. 

The  entry  "bradley. e .manning"  is  the  user  name  assigned 
to  the  Intelink  Passport  account  that  is  requesting  the  information. 
The  Intelink  user  account  associated  with  the  common  name  "Manning, 
Bradley  E. " 


8764 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C,  J 


The  entry  "21/Mar/2010 : 05 : 39 : 53-0400"  is  the  time  and 
date  group,  which  is  given  in  Greenwich  Mean  Time  (GMT) .  The  time 
and  date  group  records  when  the  computer  processes  the  request  from 
the  sending  IP  address. 

The  entry  "%20"  means  that  a  space  is  there. 

The  entry  "200"  is  a  code  that  states  that  the  user's 
request  to  "GET"  and  access  the  document  was  successful. 

Based  on  the  log  information,  I  can  tell  someone 
downloaded  the  .pdf  because  a  document  number  follows  the  "GET" 
request.  A  document  number  indicates  that  the  user  opened  the 
document.  Additionally,  if  the  user  has  downloaded  the  document, 
then  the  log  will  say  " /document/docnum/attachment /pdf  name." 

The  entry  "45266"  indicates  the  size  of  the  user's 

request . 

The  entry  "Mozilla/5 . 0"  tells  me  that  the  user  of  the  .22 
IP  address  was  using  version  5  of  the  Mozilla  browser. 

The  entry  "(Windows;  U;  Windows  NT  5.1;  en-US; 
rv: 1.9. 0.10)"  means  that  a  Windows  NT  workstation  was  being  used  by 
the  user  of  22.225.41.22  computer. 

The  entry  "Gecko/2009042316  Firefox/3 . 0 . 10\"  tells  me 
that  the  22.225.41.22  system  was  using  the  Firefox  browser. 

I  pulled  the  production  logs,  which  log  all  activity 
going  in  and  out  of  the  application,  by  IP  address.  Specifically,  I 


8765 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


o 


pulled  the  production  log  for  the  IP  addresses  22.225.41.22  and 
22.225.41.40  between  October  2009  and  May  2010.  I  obtained  results 
from  Feb  —  20  February  2010  to  27  April  2010.  The  results  are 
contained  in  the  following  files:  production . log . 20100303 . culled, 
various  dates  between  20  February  2010  and  2  Mar  2010; 
production. log. 20100401 . culled,  various  dates  between  4  March  2010 
and  30  March  2010;  production. log. 20100615 . culled,  various  dates 
between  3  April  2010  and  27  April  2010. 

The  entry  "22.225.41.22"  is  the  sending  IP  address.  This 
—  excuse  me.  Your  Honor  —  this  address  indicates  the  IP  address  of 
the  computer  that  is  requesting  the  information. 

The  entry  "2010-03-21  05:39:53"  is  the  time  and  date 
group.  The  time  and  date  group  records  when  the  computer  processes 
the  request  from  the  sending  IP  address. 

The  entry  "200"  is  a  code  that  states  the  user's  request 
to  "GET"  and  access  the  document  was  successful.  The  "OK"  indicates 
the  same  information  as  the  200,  that  the  document  —  Your  Honor, 
there's  one  correction  that  needs  to  be  made  on  this  document. 

MJ:  All  right,  why  don't  you  take  a  moment  to  get  with  the 

defense  counsel. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

[Counsel  did  as  directed.] 


8766 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


o 


TC [MAJ  FEIN]:  Your  Honor,  there  should  be  a  box  that  is 
redacted  on  this  document,  so  for  reading  on  the  record  the  portion 
will  be  skipped  and  then  the  documents  will  be  corrected  after  this. 

MJ:  All  right,  you'll  have  corrected  copies  in  the  record? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Major  Hurley,  you  —  does  the  defense  agree  with  the 

proposed  correction  by  the  government? 

ADC [MAJ  HURLEY]:  Yes,  we  do,  ma'am. 

MJ:  All  right,  thank  you. 

TC [MAJ  FEIN]:  So  to  restart  that  section.  Your  Honor. 

The  "OK"  indicates  the  same  information  as  the  200,  that 
the  document  with  identification  number  downloaded  to  the 
22.225.41.22  IP  address. 

Based  on  the  log  information,  I  can  tell  someone 
downloaded  the  pdf  —  the  .pdf  because  a  document  number  follows  the 
"GET"  request.  A  document  number  indictes  that  the  user  opened  the 
document.  Additionally,  if  the  user  has  downloaded  the  document, 
then  the  log  will  say  "/document/docnum/attachment/pdf  name." 

I  also  conducted  database  queries  to  pull  other 
information  and  to  pull  information  sorted  in  different  ways.  Again, 
I  wrote  a  variety  of  SQL  queries  to  do  this.  The  results  are 
contained  in  the  following  files:  sql_document_views . 1st ; 


8767 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


sql_document_views_documents_earliest . 1st ;  sql_documents_lst  [sic] ; 
sql  dvs  documents_users . 1st ;  sql_searches_lst  [sic];  sql_users . 1st . 

The  query  "sql_users_lst"  [sic]  is  the  result  of  the  SQL 
command  that  I  wrote  to  pull  the  Intelink  Passport  account 
information  for  the  user  with  the  first  name  "Bradley"  and  the  last 
name  "Manning."  The  information  the  query  produced  revealed  that  the 
user  with  the  Passport  Identification  "bradley. e .manning"  had  his 
organization  listed  at  --  as  "USA";  his  "Employee  Type"  as 
"Military";  and  his  "Rank"  as  "E-4."  His  registered  e-mail  address 
was  bradley.manning@us.army.smil.mil.  His  identification  number  was 
"31169." 

To  assist  in,  among  other  things,  determining  the  names 
of  the  product  numbers  that  were  viewed  and  downloaded,  I  wrote  an 
SQL  query  to  pull  the  names  of  the  products  viewed  by  the  user  with 
the  indentification  number  "31169."  I  got  the  identification  number 
from  the  query  I  conducted  in  the  "sql_users . 1st "  to  limit  to  search 
—  to  limit  to  search  to  only  pull  the  documents  viewed  by  the  user 
of  the  Intelink  Passport  Account  with  the  user  name 

"bradley. e. manning. "  I  saved  that  query  as  "sql_documents . 1st . "  I 
wrote  another  SQL  command  to  just  limit  the  query  of  "31169"  to 
document  numbers  and  times,  which  is  saved  as 

"sql  document  views. 1st."  I  also  wrote  a  SQL  command  to  pull  the 
document  names  in  order  of  earliest  viewed,  which  I  saved  as 


8768 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


G  Q 


"sql  document_views_documents_earliest . 1st. " 

"Sql_dvs_documents_users"  has  all  the  views  by  user  "31169"  saved  in 
the  order  the  user  viewed  them. 

The  classification  of  the  title  is  "C//NF." 

The  classification  of  the  memorandum  is  " SECRET / /NOFORN . " 

The  information  I  provided  is  computer  generated  and  only 
limited  people  have  access  to  the  information.  I  have  no  reason  to 
believe  the  information  I  provided  was  not  accurate.  On  19  June 
2012,  I  attested  to  the  authenticity  of  the  CIA  Wire  log  files 
containing  the  above  listed  logs  and  in  —  and  queries.  The 
attestation  is  Bates  numbers:  00449441-00449441.  Prosecution 
Exhibit  136  for  Identification  is  the  logs. 

Your  Honor,  the  United  States  moves  to  admit  what  has 
been  marked  as  Prosecution  Exhibit  136  for  Identification  as 
Prosecution  Exhibit  136. 

ADC [MAJ  HURLEY]:  No  objection.  Your  Honor. 

MJ:  All  right.  May  I  see  it,  please? 

[PE  136  for  ID  was  handed  to  the  military  judge.] 

MJ:  Prosecution  Exhibit  136  for  Identification  is  admitted. 

[Pause] 

TC [MAJ  FEIN]:  Ma'am,  I  did  it  too  quick.  Simply,  the  United 
States  skipped  over  —  after  Prosecution  Exhibit  134,  the  stipulation 
of  expected  testimony  for  Vice  Admiral  Robert  Harward,  was  read  on 


8769 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


0 


the  record,  the  United  States  intended  to  move  to  admit  Prosecution 
Exhibit  133  for  Identification  as  Prosecution  Exhibit  133. 

ADC [MAJ  HURLEY]:  No  objection,  ma'am. 

MJ:  All  right.  May  I  see  it,  please? 

[The  military  judge  was  handed  PE  133  for  ID.] 

MJ:  All  right.  Prosecution  Exhibit  133  for  Identification  is 

admitted. 

TC [MAJ  FEIN]:  Your  Honor,  the  United  States  requests  a  recess 
for  lunch. 

MJ:  All  right,  how  long  would  you  like? 

TC [MAJ  FEIN]:  [No  response.] 

MJ:  1330? 

TC [MAJ  FEIN]:  Can  we  do  1315,  Your  Honor? 

MJ:  That's  fine. 

All  right,  anything  else  we  need  to  address? 

TC [MAJ  FEIN]:  No,  ma'am. 

ADC [MAJ  HURLEY]:  No,  Your  Honor. 

MJ:  Court  is  in  recess  till  1315. 

[The  court-martial  recessed  at  1214,  17  June  2013.] 

[The  court-martial  was  called  to  order  at  1335,  17  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  court  last  recessed  are  again  present  in 
court . 


8770 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


Major  Fein,  is  the  government  ready  to  proceed? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Are  there  any  issues  we  need  to  address  before  we 

proceed? 

TC [MAJ  FEIN]:  No,  ma'am. 

ADC [MAJ  HURLEY]:  Just  accounting  for  the  parties,  ma'am. 

MJ:  All  right. 

TC [MAJ  FEIN]:  Ma'am,  all  parties  when  the  court  last  recessed 
are  again  present. 

MJ:  Thank  you. 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  offers  to  be  read  on  the 
record  Prosecution  Exhibit  137,  the  stipulation  of  expected  testimony 
for  Mr.  Maxwell  Allen,  dated  16  June  2013. 

It  is  hereby  agreed  by  the  accused,  defense  counsel,  and 
trial  counsel  that  if  Mr.  Maxwell  Allen  were  present  to  testify 
during  the  merits  and  presentencing  phases  of  this  court-martial,  he 
would  testify  substantially  as  follows: 

I  am  currently  employed  with  the  Central  Intelligence 
Agency  (CIA)  and  have  worked  there  for  6  years.  Before  that,  I  was  a 
contractor  with  Oracle  for  10  years.  Oracle  is  the  largest  database 
company  in  the  world  and  is  the  platform  for  the  Open  Source  Center 
(OSC)  database.  I  work  on  the  contract  for  the  OSC.  I  am  the  lead 
database  engineer  and  database  administrator  for  the  OSC.  I  have 


8771 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


been  the  lead  database  administrator  and  engineer  for  2  years.  As  a 
database  engineer,  I  build  and  develop  databases  to  efficiently  store 
and  retrieve  data  and  as  a  database  administrator  I  maintain  the 
databases.  As  the  lead,  I  am  in  charge  of  the  database  engineers  and 
administrators . 

The  OSC  is  a  Web  site  controlled  by  the  Central 
Intelligence  Agency  (CIA) ,  which  requires  a  user  to  have  an  OSC 
account  to  access  information.  The  Web  site  is  located  on  the 
unclassified  system,  SIPRNet,  and  JWICS  and  allows  a  user,  once 
authenticated,  to  conduct  searches  of  various  files  created  by  the 
CIA  and  other  organizations.  The  OSC  contains  reports  and 
translations  from  thousands  of  unclassified  publications,  television 
and  radio  programs,  and  Internet  sources  around  the  world. 

The  OSC  cannot  complete  a  request  by  a  user  without 
logging  the  request  in  the  audit  logs.  In  other  words,  if  the  OSC 
cannot  log  its  actions,  it  will  stop  working  and  users  will  not  be 
able  to  retrieve  their  requests  and  view  pages  on  the  Web  site.  We 
conduct  a  monthly  check  of  the  logs  to  ensure  the  system  is 
functioning  properly,  and  we  always  keep  the  database  up  to  date  by 
installing  all  updates.  Typically,  the  purpose  of  checking  the  audit 
logs  is  to  see  if  there  are  any  errors  in  the  automated  process. 

The  OSC  database  creates  three  separate  types  of  logs: 
application  logs,  server  logs,  and  firewall  logs.  In  this  case,  I 


8772 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


J 


pulled  the  application  logs.  The  other  logs  would  reflect  the  same 
basic  information  in  a  different  format.  The  logs  are  created  every 
time  an  event  occurs.  In  this  case,  we  were  asked  to  pull  any  user 
information  for  Bradley  Manning,  as  well  as  audit  logs  associated 
with  the  user  names  of  any  Bradley  Manning  accounts. 

As  I  stated,  an  OSC  account  is  required  to  access  the 
OSC.  To  apply  for  an  OSC  account,  a  user  has  to  enter  their  personal 
information  in  the  application.  When  applying  for  an  account  on 
SIPRNet ,  the  account  is  automatically  approved  upon  application  and 
confirmation  of  the  SIPRNet  e-mail  address.  Having  an  OSC  account 
allows  you  to  access  the  OSC  Web  site  through  SIPRNet.  If  a  user 
wants  to  access  sites  not  within  OSC,  the  user  has  to  log  on  to  those 
sites  separately  even  if  the  user  clicks  on  a  link  from  within  the 
OSC  Web  site. 

I  searched  the  database  for  any  combination  of  Bradley 
and  Manning.  After  looking  at  the  first  and  last  name  on  the 
account,  I  determined  that  there  were  two  accounts  with  the  first 
name  Bradley  and  last  name  Manning.  Both  the  accounts  were  on 
SIPRNet.  I  opened  the  account  information  for  those  accounts  and 
took  screenshots  of  the  account  information  by  pressing  "Control"  and 
"Enter"  to  take  a  screenshot. 

The  first  account  had  a  user  name  of  "Bmanning."  The 
name  entered  by  the  individual  creating  the  account  was  Bradley 


8773 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


o 


Edward  Manning.  The  phone  number  was  (240)  784-0431.  The  Secret- 
level  e-mail  given  was  Bradley .manning@2bctl0mtn .  The  security 
question  was  "What  city/town  did  you  grow  up  in?"  The  answer  given 
by  the  user  was  "Crescent."  The  account  was  opened  on  6  November 
2009  and  the  last  logon  —  login  was  6  November  2010.  Prosecution 
Exhibit  138  for  Identification  is  the  account  screenshot  with  Bates 
number:  00374393. 

The  second  account  had  a  user  name  "bradass87."  The  name 
entered  by  the  individual  creating  the  account  was  Bradley  Edward 
Manning.  The  phone  number  was  (312)  848-8722.  The  Secret  level 
e-mail  given  was  bradley.manning@us.army.smil.mil.  The  security 
question  was  "What  city/town  did  you  grow  up  in?"  The  answer  given 
by  the  account  user  was  "Crescent."  The  account  was  opened  on 
20  February  2010  and  last  logon  was  17  April  2010.  Prosecution 
Exhibit  139  for  ID  is  the  second  account  screenshot  with  Bates 
number:  00374394. 

To  pull  the  logs  associated  with  the  accounts  with  the 
user  names  "bmanning"  and  "bradass87,"  I  wrote  a  SQL  query  and 
entered  it  into  the  database.  In  the  query,  I  asked  the  database  to 
pull  all  the  audit  events  by  the  users  "bmanning"  and  "bradass87 . " 
"SQL"  is  a  structural  query  language  for  extracting  and  inserting 
into  a  database.  It  is  a  standard  computer  language  to  interact  with 
databases.  In  other  words,  SQL  is  a  tool  used  to  perform  inquiries 


8774 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


© 


o 


and  pull  data  from  a  database.  The  SQL  query  pulled  the  logs  and  put 
them  in  a  readable  format.  In  order  to  accomplish  SQL  query,  I  went 
to  the  black  command  prompt  screen,  typed  in  the  query,  hit  enter, 
and  the  computer  generated  the  logs.  I  then  saved  the  logs  as  well 
as  the  SQL  query  I  used  to  pull  those  logs.  A  computer-generated 
process  pulls  the  logs,  and  I  did  not  format  them  as  SQL  does  it 
automatically.  I  then  saved  the  logs. 

I  will  explain  the  logs  by  column  and  using  the  line 
pulled  from  "bradass87_distinct_export_with  classification.xls" 

[sic] . 

Your  Honor,  for  purposes  of  reading  the  stipulation, 
there's  a  table  that  is  provided  in  the  next  portion,  and  the  United 
States  will  offer  to  skip  to  the  explanation  of  the  table  by  line 
number. 

a.  Column  1  is  the  audit  event  identification,  which  is 
the  system-generated  number  assigned  numerically  to  events.  An 
"event"  is  data  received,  like  looking  at  a  document.  Each  different 
event  has  a  different  line  on  the  audit  data;  however,  each  action 
has  the  same  audit  event  identification.  Therefore,  there  may  be 
several  lines  to  describe  one  action,  which  all  have  the  same  audit 
event  identification.  In  the  above  example  line,  the  audit  event  ID 
is  "36135654." 


8775 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


Column  2  is  the  date/time  group;  logs  the  date  and  time 
of  the  event.  In  the  above  example  line,  the  date/time  group  is 
"20- FEB- 10"  at  "04.45.52.000000000  AM." 

Column  3  is  the  actor.  It  is  the  user  account  that  is 
creating  the  event.  In  the  above  example  line,  the  actor  is 
"bradass87."  That  was  the  user  account  for  a  SIPRNet  OSC  account 
with  the  name  "Bradley  Manning." 

Column  4  is  the  audit  action,  which  tells  you  what  the 
user  did  on  the  OSC  Web  site.  In  the  above  example  line,  the  audit 
action  is  "viewed  holding."  This  means  the  document  whose  title 
appears  in  the  data  value  column  was  opened  by  the  "bradass87"  user 
account . 

Column  5  is  the  target.  The  "target"  identifies  what  the 
user  was  accessing  on  the  OSC  Web  site.  In  the  logs  that  we  pulled 
for  this  case,  the  targets  were  most  often  numbers  that  identified 
specific  documents  or  other  areas  of  the  Web  site  the  user  clicked 
on,  such  as  Topic  Countries.  In  the  above  example  line,  the  target 
is  "11945572,"  which  is  a  document. 

Column  6  contains  the  data  name,  which  further  describes 
the  target  as  well  as  the  next  column,  the  data  value  column.  In  the 
above  example,  the  data  name  is  "TITLE."  That  means  that  the  target 
was  the  document  and  the  data  value  in  the  following  column  is  the 
title  of  the  document. 


8776 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


Column  7  is  the  data  value,  which  is  what  the  data 
actually  is.  In  the  above  example  line,  the  data  value  is  the  title 
"Daily  Tells  UK,  Dutch  To  Stop  'Bullying',  Accept  Iceland's 
Compensation  Officer  (U) . " 

To  summarize,  the  above  example  means  that  the  user 
"bradass87 "  clicked  on  the  page  with  the  document  entitled  "Daily 
Tells  UK,  Dutch  To  Stop  'Bullying',  Accept  Iceland's  Compensation 
Officer  (U) "  on  20  February  2010.  I  know  the  page  opened  and  the 
document  displayed;  otherwise,  the  action  would  not  have  logged. 

In  this  case,  I  also  conducted  a  search  of  the  database 
for  all  document  titles  that  were  viewed  by  the  user  account 
"bradass87 . "  I  saved  them  as  "bradass87_sum_export_with 
classifications."  I  did  this  as  it  was  an  easier  format  to  view  what 
document  titles  were  viewed  by  the  user.  Using  the  above  example  and 
"bradass87_sum_export_with  classifications"  you  can  match  the  target, 
which  contains  the  holding  identif icaton  with  the  document  title.  In 
the  above  example,  the  target,  and  holding  identification,  is 
"11945572,"  which  again  matches  with  the  title  "Daily  Tells  UK,  Dutch 
To  Stop  'Bullying',  Accept  Iceland's  Compensation  Officer." 

Based  upon  the  review  of  the  audit  log,  it  appears  that 
"bmanning"  began  using  his  account  on  26  November  2009  and  looked  at 
homeland  security  information.  He  did  not  conduct  any  activity  on 
his  account  after  that  date.  The  subsequent  two  dates  are  automatic 


8777 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


o 


entries  to  track  the  lapsing  and  expiration  of  the  accounts. 
Prosecution  Exhibit  140  for  Identification  are  the  OSC  logs  for  the 
user  account  "bmanning." 

Based  upon  the  review  of  the  audit  log,  it  appears  that 
"bradass87"  began  using  the  OSC  on  20  February  2010  and  looked  at  a 
variety  of  documents  associated  with  WikiLeaks  and  Iceland.  The 
"bradass87"  account  was  last  used  on  17  April  2010.  Prosecution 
Exhibit  141  for  ID  are  the  OSC  logs  for  the  user  "brad"  —  user 
account  "bradass87." 

The  information  I  provided  is  computer  generated  and  only 
limited  people  have  access  to  the  information.  I  have  no  reason  to 
believe  that  the  information  I  provided  was  not  accurate.  On  29  June 
2012,  I  attested  to  the  authenticity  of  the  OSC  log  files  containing 
the  following  logs  with  the  following  date  ranges: 
"bmanning_distinct_export_with  classification.xls"  (date  range 
6  November  2009  to  9  November  2010);  "bradass87_distinct_export_with 
classification.xls"  (date  range  20  February  2010  to  17  April  2010); 
"bradass87_sum_export_with  classification.xls"  (no  date  range).  The 
logs  that  I  attested  to  in  this  case  were  in  the  Excel  format. 
Although  I  originally  pulled  the  logs  in  a  different  format,  the 
content  was  identical  to  the  logs  that  I  pulled.  In  the  same  29  June 
2012  attestation,  I  attested  to  the  authenticity  of  the  OSC  user 
information  files  entitled  "Opensource.gov-bmanning.pdf"  and 


8778 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


3 


"Opensource.gov-bradass87.pdf."  This  attestation  is  Bates  number 
00505184. 

Your  Honor,  the  United  States  moves  to  admit  what  has 
been  marked  as  Prosecution  Exhibits  138,  139,  140,  and  141  as 
Prosecution  Exhibits  —  for  Identification,  excuse  me.  Your  Honor,  as 
Prosecution  Exhibits  138,  139,  140,  and  141,  respectively. 

ADC [MAJ  HURLEY]:  No  objection.  Your  Honor. 

MJ:  All  right,  may  I  see  them,  please? 

[PEs  138,  139,  140,  and  141  for  Identification  were  handed  to  the 
military  judge,  and  the  military  judge  reviewed  the  exhibits.] 

MJ:  Major  Fein,  I  have  a  question  for  you.  I'm  looking  at 

Prosecution  Exhibits  138  and  139.  They're  not  legible. 

[Pause] 

TC [MAJ  FEIN]:  Ma'am,  during  the  next  recess  the  United  States 
will  look  at  138  —  Prosecution  Exhibits  138  and  139  to  get  a  clearer 
copy. 

MJ:  Okay,  thank  you;  yes. 

Prosecution  Exhibit  141  for  Identification  is  admitted, 
and  Prosecution  Exhibit  140  for  Identification  is  admitted. 

[Pause] 

ATC [CPT  MORROW]:  Your  Honor,  the  United  States  offers 
Prosecution  Exhibit  142  for  Identification.  It  is  the  stipulation  of 
expected  testimony  for  Staff  Sergeant  Peter  Bigelow,  - 


8779 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


© 


o 


MJ:  I - 

ATC [CPT  MORROW]:  -  dated  16  June  2013. 

MJ:  -  believe  I  already  admitted  that;  is  that  correct? 

ATC [CPT  MORROW]:  Oh,  yeah,  I'm  sorry;  not  for  Identification, 
Your  Honor.  It  is  admitted  into  the  record. 

It  is  hereby  agreed  by  the  accused,  defense  counsel,  and 
trial  counsel  that  if  SSG  Peter  Bigelow  were  present  to  testify 
during  the  merits  and  presentencing  phases  of  this  court-martial,  he 
would  testify  substantially  as  follows: 

I  am  currently  the  Battalion  S-4  NCOIC  for  the  782d 
Brigade  Support  Battalion,  82d  Airborne  Division,  Fort  Bragg,  North 
Carolina.  I  recently  left  my  position  as  the  supply  sergeant  for  the 
2d  NATO  Signal  Battalion  in  Italy.  I  have  been  active  duty  Army 
since  2004.  Prior  to  that,  I  served  in  the  Army  National  Guard  from 
1999  to  2000  and  the  Marine  Corps  from  1989  to  1993  and  again  from 
1996  to  1999. 

I  know  PFC  Manning  because  he  came  to  work  for  me  in  the 
suply  shop  after  leaving  the  S-2  shop  during  our  deployment  to 
Contingency  Operating  Base  (COB)  Hammer,  Iraq.  He  left  the  S-2  shop 
on  approximately  8  May  2010  and  joined  the  supply  room  the  following 
day,  on  approximately  9  May  2010.  At  that  time,  I  was  the 
Headquarters  and  Headquarters  Company  (HHC) ,  2d  Brigade,  10th 
Mountain  Division  supply  sergeant.  In  this  position,  I  was 


8780 


1 

2 

3 

4 

5 

6. 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


responsible  for  supporting  the  Brigade  and  also  handling  the 
logistical  needs  for  the  Brigade  Headquarters  Company  and  staff 
consisting  of  my  company  commander;  executive  officer;  and  the  arms, 
supply,  and  orderly  room  personnel.  In  the  supply  room,  PFC  Manning 
would  help  out  with  tasks,  such  as  moving  supplies,  photocopying,  or 
running  messages  or  paperwork  to  other  sections.  I  did  not  always 
have  things  for  PFC  Manning  to  do,  so  he  typically  had  several  hours 
a  day  during  his  shift  where  he  did  nothing  but  read  a  book  or  surf 
the  Internet. 

I  first  became  aware  of  the  investigation  and  misconduct 
at  issue  in  these  proceedings  after  getting  back  from  a  supply  run  to 
Victory  Base  Complex  in  Iraq  on  27  May  2010.  Upon  my  return,  I  was 
told  to  get  PFC  Manning  because  CID  was  en  route  to  question  him. 

That  instruction  came  from  Captain  Lim,  the  2d  Brigade  S-2 .  He  asked 
me  to  stay  with  PFC  Manning  until  CID  arrived.  After  I  dropped  my 
gear,  I  went  immediately  to  the  supply  office,  got  PFC  Manning,  and 
requested  my  armor  sergeant  watch  him  until  otherwise  instructed. 

CID  arrived  that  evening.  They  interviewed  me  regarding 
leaked  material  and  PFC  Manning's  computer  usage.  I  advised  the 
investigating  agents  that  PFC  Manning  had  had  access  to  my  NIPR  and 
personal  computer;  and  that  while  I  did  not  know  if  PFC  Manning  had 
used  my  SIPR  machine,  I  had  seen  him  sitting  behind  it.  I  consented 
to  a  CID  agent  taking  my  personal  laptop.  The  CID  agent  also 


8781 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


o 


collected  my  government  NIPR  and  SIPR  hard  drives.  I  asked  that  the 
agent  take  only  the  hard  drives  from  the  government  computers  because 
after  CID's  investigation  of  the  S-2  shop,  we  were  running  out  of 
computer  terminals.  I  signed  my  computer  and  the  supply  room  NIPR 
and  SIPR  hard  drives  over  to  the  agent  on  an  evidence  custody  form 
that  she  supplied. 

PFC  Manning  used  my  personal  computer  and  my  NIPR 
computer.  I  let  him  use  my  personal  computer  after  I  noticed  that  he 
was  checking  his  personal  e-mail  and  surfing  the  Web  on  the 
government  computer.  At  no  point  did  I  ever  log  in  to  any  of  PFC 
Manning's  personal  accounts,  such  as  Gmail,  Amazon,  or  Charles 
Schwab.  I  also  did  not  conduct  any  searches  on  cross-dressing  and 
did  not  purchase  a  book  on  Amazon  called  "Facial  Feminization  Surgery 
-  A  Guide  for  the  Transgendered  Woman."  I  did  not  know  what  the 
Global  Address  List  (GAL)  was.  I  never  searched  for  any  informaton 
related  to  it  nor  did  I  ever  download  or  take  any  actions  to 
otherwise  extract  it  or  information  related  to  it.  I  also  never 
searched  for  information  relating  to  "Julian  Assange,"  "WikiLeaks," 
or  "vba  outlook  write  text  file."  I  also  have  never  named  a  folder 
or  file  with  the  word  "blah, "  particularly  not  one  I  —  particularly 
not  one  on  my  government  NIPR  computer. 


8782 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


©  J 


The  United  States  offers  Prosecution  Exhibit  143,  a 
stipulation  of  expected  testimony  for  Special  Agent  Alfred 
Williamson,  dated  17  June  2013. 

It  is  hereby  agreed  by  the  accused,  defense  counsel,  and 
trial  counsel  that  if  Special  Agent  Alfred  Williamson  were  present  to 
testify  during  the  merits  and  presentencing  phases  of  this 
court-martial,  he  would  testify  substantially  as  follows: 

I  began  working  for  the  Computer  Crimes  Investigation 
Unit  (CCIU)  of  the  U.S.  Army  Criminal  Investigation  Command  (CID)  in 
2006.  I  am  currently  a  criminal  investigator  special  agent.  In  2010 
and  2011,  I  was  a  digital  forensic  examiner  and  special  agent, 
working  in  the  Digital  Forensics  and  Research  Branch  of  CCIU. 

Special  Agent  David  Shaver  was  my  supervisor.  Prior  to  working  for 
CCIU,  I  worked  as  a  computer  forensic  special  agent  for  the 
Department  of  Homeland  Security  from  2002  to  2006.  From  1992  to 
2002,  I  served  as  a  police  officer  in  Texas. 

I  have  attended  and  received  training  in  multiple  areas 
related  to  —  related  to  computer  forensic  examination.  This 
training  includes  Treasury  Department  computer  forensic  courses 
through  the  Federal  Law  Enforcement  Training  Center;  9  weeks  of 
intermittent  training  in  A  Plus,  precomputer  evidence  response;  and 
basic  computer  evidence  response  techniques.  For  my  work  with  CCIU, 

I  have  attended  additional  training  on  digital  media  collection  and 


8783 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


e  j 


forensic  examination,  as  well  as  computer  crime  scene  investigation, 
from  the  Defense  Cyber  Investigations  Training  Academy  (DCITA) ,  under 
the  Defense  Cyber  Crime  Center  (DC3) .  I  have  industry  certifications 
from  CompTIA  in  A  Plus,  Network  Plus,  and  Security  Plus.  Further,  I 
am  a  Microsoft  certified  specialist  in  Windows  Vista  and  a  certified 
ethical  hacker.  I  have  obtained  all  three  Department  of  Defense 
forensic  examination  certifications  in  digital  media  collection, 
digital  examination,  and  computer  crimes  investigations.  I  am  also  a 
certified  EnCase  examiner  through  Guidance  Software,  the  makers  of 
the  EnCase  forensic  tool.  Finally,  I  have  GIAC  certifications  in 
forensic  examination  and  analysis,  as  well  as  security. 

As  part  of  this  case,  I  conducted  a  forensic  examination 
of  Prosecution  Exhibit  11,  a  U.S.  Government  NIPRNet  computer 
collected  from  the  supply  annex  on  FOB  Hammer,  Iraq.  The  IP  address 
of  this  computer  was  144.107.17.19.  Specifically,  I  examined  the 
verif ied-by-hash  forensic  image  obtained  by  Special  Agent  Calder 
Robertson  from  the  hard  drive  of  this  computer.  The  original 
forensic  laboratory  examination  request  came  from  one  of  the  CID 
agents  in  Iraq,  Special  Agent  Toni  Graham.  Initial  examination  of 
the  forensic  image  revealed  that  it  contained  the  Windows  XP 
operating  system  and  the  computer  was  set  to  Baghdad  time  (GMT 
+3:00).  Before  beginning  my  examination  of  the  forensic  image,  I 


8784 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


o 


performed  a  standard  virus  scan  on  this  computer  and  confirmed  that 
it  had  no  malicious  files. 

I  used  the  EnCase  forensic  software  tool  to  conduct  my 
examination.  This  software  is  commonly  used  by  forensic  examiners. 

It  verifies  the  hash  value  of  the  evidence  being  examined  so  that  the 
examiner  can  be  sure  he  is  analyzing  an  exact  duplicate  of  the 
originally  collected  evidence.  A  "hash  value"  is  a  unique  identifier 
for  a  piece  of  electronic  information  that  is  made  up  of  a  series  of 
numbers  and  letters.  I  have  used  EnCase  software  extensively.  I 
encountered  no  errors  during  my  examination.  Overall,  my  forensic 
examination  identified  four  main  things  of  note.  I  will  address  each 
finding  in  turn. 

The  supply  annex  NIPRNet  computer  was  not  configured  for 
Common  Access  Card  (CAC)  logon,  as  the  "scforceoption"  value  was  not 
present.  Instead,  a  username  and  password  were  required  to  logon. 

On  login  to  the  computer  by  the  —  by  a  user,  the  computer  was  set  to 
display  a  Department  of  Defense  warning  banner  and  legal  notice.  The 
notice  read: 

ATTENTION:  This  is  a  DOD  computer  system.  Before 

processing  classified  information,  check  the  security  accreditation 
level  of  this  system.  Do  not  process,  store,  or  transmit  information 
classified  above  the  accreditation  level  of  this  system.  This 
computer  system,  including  all  related  equipment,  networks,  and 


8785 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


network  devices  (includes  Internet  access)  are  provided  only  for 
authorized  U.S.  Government  use.  DOD  computer  systems  may  be 
monitored  for  all  lawful  purposes,  including  ensuring  that  use 
authorized  for  management  of  the  system,  to  facilitate  protection 
against  unauthorized  access  and  to  verify  security  procedures, 
survivability,  and  operational  security.  Monitoring  includes,  but  is 
not  limited  to,  active  attacks  by  authorized  DOD  entities  to  test  or 
verify  the  security  of  this  system.  During  monitoring,  information 
may  be  examined,  recorded,  copied,  and  used  for  authorized  purposes. 
All  information,  including  personal  information,  placed  on  or  sent 
over  this  system  may  be  monitored.  Use  of  this  DOD  computer  system, 
authorized  or  unauthorized,  constitutes  consent  to  monitoring. 
Unauthorized  use  of  this  DOD  computer  system  may  subject  you  to 
criminal  prosecution.  Evidence  of  unauthorized  use  collected  during 
monitoring  may  be  used  for  administrative,  criminal,  or  other  adverse 
action.  Use  of  this  system  constitutes  consent  to  monitoring  for  all 
lawful  purposes. 

The  DoD  warning  banner  and  legal  notice  did  not 
explicitly  prohibit  the  downloading  of  e-mail  addresses.  I  am  not 
aware  of  any  restriction  or  guidance  that  precludes  one  from 
downloading  e-mail  addresses  from  Outlook. 

The  supply  annex  NIPRNet  compuer  had  a  "bradley .manning" 
user  account.  This  account  was  not  created  until  21  May  2010.  My 


8786 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


examination  revealed  that  the  user  of  the  bradley .manning  user 
account  visited  the  Web  site  http://news.google.com  and  searched  for 
"wikileaks"  on  21  May  2010.  The  bradley .manning  user  account  visited 
Web  sites  related  to  non judicial  punishment  under  Article  15  on 
21  May  2010.  The  bradley .manning  user  account  also  visited  several 
Web  sites  owned  by  Google  in  order  to  gain  access  to  a  Gmail  e-mail 
account,  also  on  21  May  2010.  I  also  looked  at  the  Microsoft  Outlook 
nickname  file  under  the  bradley .manning  user  account.  The  nickname 
list  or  file  is  automatically  generated  when  a  user  sends  an  e-mail 
with  Microsoft  Outlook.  This  nickname  file  revealed  two  e-mail 
addresses  associated  with  Mr.  Adrian  Lamo.  When  I  examined  the 
Recycle  Bin  of  the  bradley .manning  user  account,  I  found  a  text  file 
that  contained  the  contents  of  a  PGP-encrypted  e-mail  communication 
between  PFC  Manning  and  Mr.  Adrian  Lamo.  The  text  file  was  named 
"Second  Attempt".  This  "Second  Attempt"  text  file  was  initially 
located  under  "My  Documents,"  but  was  later  removed  by  the  user  to 
the  Recycle  Bin. 

Other  than  the  items  just  described,  I  initially  found 
very  little  of  investigative  interest  under  the  bradley .manning  user 
account.  I  later  went  back  and  examined  the  entire  computer, 
including  the  other  user  accounts  present  on  the  computer,  when  Mr. 
Mark  Johnson  found  references  to  the  United  States  Forces-Iraq  Global 
Address  List  (GAL)  during  his  examination  of  PFC  Manning's  personal 


8787 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


computer,  including  extracts  of  what  appeared  to  be  a  Microsoft 
Exchange  GAL  with  thousands  of  e-mail  addresses.  Accordingly,  I  went 
back  and  examined  the  entire  computer,  including  the  "peter . bigelow" 
user  account. 

When  I  looked  at  the  supply  annex  NIPRNet  again,  it 
appeared  to  me  that  PFC  Manning  or  someone  with  access  to  his 
personal  accounts  was  operating  the  computer  under  the  user  account 
peter .bigelow.  I  say  this  for  several  reasons. 

First,  examination  of  the  "My  Documents"  folder  under  the 
peter . bigelow  user  account  revealed  a  large  text  file  that  appeared 
to  be  an  extract  of  a  Microsoft  Exchange  G-A-L,  or  GAL.  The  text 
file  was  named  "blah.txt",  b-l-a-h- . -t-x-t .  "Blah"  is  a  naming 
convention  that  was  used  by  PFC  Manning  for  files  on  his  personal 
computer  and  his  SIPRNet  computer. 

Second,  I  found  five  files  related  to  the  GAL  in  the 
Recycle  Bin  of  the  peter . bigelow  user  account,  two  text  files  named 
"blah.txt",  two  ".zip"  archives  named  "blah.zip"  (each  containing  a 
text  file  named  "blah.txt"),  and  a  text  file  named  "tmp.txt".  All  of 
these  files  found  in  the  Recycle  Bin  appeared  to  have  been  created 
and  deleted  on  13  May  2010;  and  in  between  creating  and  deleting 
these  files,  the  user  of  the  peter . bigelow  account  also  viewed  the 
bradley. e .manning  Gmail  account  inbox.  All  of  these  files,  text 
files  and  .zip  archives,  contained  extracts  of  what  appeared  to  be  a 


8788 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


J 


Microsoft  Exchange  GAL  similar  to  the  content  of  the  text  file  found 
under  the  "My  Documents"  folder.  I  was  not  surprised  to  find  various 
files,  because  given  the  huge  amount  of  data  a  Global  Address  List 
contains,  it  would  be  easier  to  manage  fragments  rather  than  a  whole 
intact  file. 

As  stated  before,  I  found  two  large  text  files  named 
"blah.txt"  contained  within  the  ".zip"  archives  in  the  Recycle  Bin  of 
the  peter . bigelow  user  account.  The  two  text  files  are  different. 

One  contains  approximately  74,000  Ecxhange-formatted  e-mail  addresses 
(e-mails  text  file),  and  the  other  contains  the  units,  ranks,  and 
sections  of  personnel  that  correspond  with  the  e-mail  addresses 
(names  text  file) .  Prosecution  Exhibit  47  for  Identification  is  a  CD 
containing  the  names  text  file.  If  fully  printed,  this  text  file 
would  be  1,386  pages.  Prosecution  Exhibit  147alpha  for 
Identification  is  a  20-page  excerpt  from  the  names  text  file. 
Prosecution  Exhibit  48  for  Identification  is  a  CD  containing  the  e- 
mails  text  file.  If  fully  printed,  this  text  file  would  also  be 
1,386  pages.  Prosecution  Exhibit  148alpha  for  Identification  is  a 
20-page  excerpt  from  the  e-mails  text  file.  I  did  not  contact  any 
individual  who  could  —  who  could  have  given  me  the  actual  Irag  GAL, 
nor  did  I  compare  the  data  in  the  files  recovered  from  the  above 
files  with  the  actual  Irag  GAL. 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


c  o 


MJ:  Captain  Morrow,  let  me  stop  you  there  for  just  a  minute. 

In  paragraph  11,  my  copy  has  Prosecution  Exhibit  48  for 
Identification;  is  that  what  it's  supposed  to  read  or  148? 

ATC [CPT  MORROW]:  Paragraph  11,  ma'am? 

MJ:  Yes. 

ATC  [CPT  MORROW]:  Yes;  I  have  Prosecution  Exhibit  48  for 
Identification's  the  CD  containing  the  e-mails  text  file. 

Prosecution  Exhibit  148alpha  for  Identification  is  a  20-page  excerpt. 

MJ:  All  right,  so  these  are  two  separate  exhibits. 

ATC [CPT  MORROW]:  Yes,  ma'am. 

MJ:  Okay,  got  it. 

ATC [CPT  MORROW]:  One  is  an  excerpt  of  the  larger  - 

MJ:  Okay. 

ATC [CPT  MORROW]:  -  or  the  CD. 

MJ:  Okay. 

ATC [CPT  MORROW]:  I  did  not  attempt  to  communicate  with  any  of 
the  e-mail  addresses  located  in  the  above  files  and  am  unaware 
whether  the  listed  e-mails  were  functioning. 

Third,  someone  using  the  peter . bigelow  account  also 
searched  for  "wikileaks"  and  "julian  assange". 

Fourth,  the  Recycle  Bin  of  the  peter . bigelow  user  account 
contained  a  PDF  of  military  documents  pertaining  to  PFC  Manning  named 
"tmp.pdf " . 


8790 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


Finally,  the  Internet  history  for  the  peter . bigelow  user 
account  contained  Web  pages  displaying  the  logged-in  user  as  PFC 
Manning.  Specifically,  in  the  "index.dat"  file,  I  observed  logins  to 
PFC  Manning's  Army  Knowledge  Online  (AKO)  e-mail  account,  as  well  as 
logins  to  the  bradley. e .manning  Gmail  account.  "Index.dat",  or  dat, 
is  a  file  used  by  Windows  to  record  Web  site  and  local  files  accessed 
by  a  user  to  help  speed  up  the  loading  of  pages  in  Microsoft  Internet 
Explorer  and  Windows  Explorer.  I  also  found  several  temporary 
Internet  files  that  were  Amazon.com  Web  pages.  One  of  the  pages 
displayed  PFC  Manning's  name  and  address  in  the  "Shipping  to"  and 
"Billing"  sections.  There  was  no  evidence  in  the  "index.dat"  file 
that  a  user  of  the  peter . bigelow  account  visited  the  Twitter  or 
WikiLeaks  Web  sites,  nor  did  I  find  any  evidence  that  the  user 
visited  anti-American  or  extremist  Web  sites.  My  forensic 
examinations  produced  no  evidence  of  a  WikiLeaks  Most  Wanted  list  or 
any  suspicious  financial  transactions.  I  found  no  references  to 
Jason  Katz  during  my  investigation. 

With  regards  to  the  Global  Address  List  information,  I 
also  found  evidence  that  the  user  of  the  peter . bigelow  user  account 
had  searched  for  information  on  the  Internet  relating  to  the  Global 
Address  List.  Specifically,  in  the  temporary  Internet  files,  I  found 
a  Google  search  page  with  results  for  searching  "global  address  list 
Microsoft  excel  macro".  This  search  occurred  on  11  May  2010.  A 


8791 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


9 


Microsoft  Excel  Macro  is  a  computer  program  used  within  Microsoft 
Excel  to  automate  common  procedures  within  Microsoft  Excel. 

Prosecution  Exhibit  144  for  Identification  is  a  printout  of  the 
search  page  from  this  computer  showing  the  Google  result  --  Google 
results  that  I  was  able  to  recover  from  the  computer  in  the  temporary 
Internet  files.  Prosecution  Exhibit  145  for  Identification  is  a 
search  page  showing  Google  results  for  a  search  for  "global  address 
list  macro  outlook".  This  search  also  occurred  on  11  May  2010  and 
this  Web  page  was  recovered  from  the  temporary  Internet  files  as 
well.  A  Microsoft  Outlook  Macro  is  similar  to  the  description  above 
for  a  Microsoft  Excel  Macro,  but  for  Microsoft  Office.  Prosecution 
Exhibit  146  for  Identification  is  a  Google  search  page  with  results 
from  a  search  for  "vba  outlook  write  text  file".  This  search 
occurred  on  13  May  2010.  "VBA"  is  short  for  "Visual  Basic  for 
Applications."  This  Google  search  provided  links  to  instructions  on 
how  to  computer  program  in  Visual  Basic,  a  common  programming 
language  for  Microsoft  Office  products  that  can  be  used  to  export 
information  from  Outlook  to  a  "txt"  file,  although  emails  can  also  be 
saved  by  clicking  on  "save  as"  in  Outlook  and  selecting  ".txt"  file 
type.  "Temporary  Internet  files"  is  a  folder  in  the  Windows 
operating  system  used  to  cache  or  store  Web  sites  visited  by  the  user 
through  Internet  Explorer  or  other  Web  browsers.  The  storing  or 
caching  of  these  Web  pages  allows  these  Web  sites  to  load  more 


8792 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


quickly  the  next  time  they  are  visited  by  the  user.  They  are  also 
used  typically  by  forensic  examiners  to  determine  what  Web  pages  a 
user  previously  accessed. 

Your  Honor,  at  this  time  the  prosecution  moves  to  admit 
Prosecution  Exhibits  47,  48,  144,  145,  146,  147alpha,  and  148alpha 
for  Identification  into  evidence. 

ADC [MAJ  HURLEY]:  No  objection,  Your  Honor. 

MJ:  All  right. 

May  I  see  them? 

[PEs  47,  48,  144,  145,  146,  147a,  and  148a  were  handed  to  the 
military  judge,  and  the  military  judge  reviewed  the  exhibits.] 

MJ:  All  right.  Prosecution  Exhibit  148alpha  is  admitted. 

[Pause]  Prosecution  Exhibit  147alpha  is  admitted.  Prosecution 
Exhibit  147bravo  for  Identification  is  admitted.  [Pause]  Prosecution 
Exhibit  146  is  admitted.  Prosecution  Exhibits  47  and  48  are 
admitted.  [Pause]  Prosecution  Exhibit  146  is  admitted;  145  is 
admitted;  144  is  admitted;  140  —  I  think  that  is  it. 

Any  left  —  any  other  exhibits  I  have  failed  to  admit? 

TC [MAJ  FEIN]:  That's  it  for  Captain  Morrow  requested.  Your 
Honor. 

MJ:  [Pause]  All  right,  at  this  time  why  don't  we  take  a  brief 

recess,  and  I  want  to  see  counsel  for  just  a  quick  second. 

Ten  minutes  sufficient? 


8793 


o 


o 


1  TC [MAJ  FEIN]:  Yes,  ma'am. 

2  CDC [MR.  COOMBS]:  Yes,  Your  Honor. 

3  MJ:  All  right,  court  is  in  recess  for  10  minutes. 

4  [The  court-martial  recessed  at  1410,  17  June  2013.] 

5  [The  court-martial  was  called  to  order  at  1424,  17  June  2013.] 

6  MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

7  parties  present  when  the  court  last  recessed  are  again  present  in 

8  court. 

9  Major  Fein? 

10  TC [MAJ  FEIN]:  Your  Honor,  the  United  States  realized  there 

11  might  have  been  some  confusion  about  Appellate  —  or,  excuse  me, 

12  Prosecution  Exhibits  147alpha,  147bravo,  148alpha,  148bravo.  Prior 

13  to  the  recess,  the  United  States  moved  to  admit  Prosecution  Exhibits 

14  147alpha  and  147  —  or,  excuse  me,  148alpha.  Those  are  the  20-page 

15  extracts  from  the  two  text  files  based  off  of  Special  Agent 

16  Williamson's  stipulation  of  expected  testimony. 

17  In  addition  to  that  now,  the  United  States  moves  to  admit 

18  as  147bravo  and  148bravo  one-page  redacted  versions  of  those  20-page 

19  extracts  in  order  to  be  used  in  open  court. 

20  MJ:  Any  objection? 

21  ADC [MAJ  HURLEY] :  No,  ma'am. 

22  [Pause] 


8794 


© 


o 


1  MJ:  All  right.  I'll  admit  those  momentarily. 

2  Are  there  any  other  administrative  issues  we  have  to 

3  address? 

4  TC [MAJ  FEIN]:  No,  ma'am. 

5  CDC [MR .  COOMBS]:  No,  Your  Honor. 

6  MJ:  Okay. 

7  Did  you  have  an  opportunity  to  look  into,  I  believe  it 

8  was.  Prosecution  Exhibits  138  and  139? 

9  TC [MAJ  FEIN]:  Ma'am,  the  United  States  is  still  trying  to  find 

10  a  cleaner  copy  of  those  and  will  bring  those  to  the  court's  attention 

11  once  we  obtain  them. 

12  MJ:  All  right. 

13  All  right.  Prosecution  Exhibits  147b  and  148b  are 

14  admitted. 

15  Please  proceed. 

16  ATC [CPT  von  ELTEN] :  Your  Honor,  the  United  States  calls  Chief 

17  Warrant  Officer  4  Ronald  Nixon  to  the  stand. 

18  CHIEF  WARRANT  OFFICER  4  RONALD  NIXON,  U.S.  Army,  was  called  as  a 

19  witness  for  the  prosecution,  was  sworn,  and  testified  as  follows: 

20  DIRECT  EXAMINATION 

21  Questions  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

22  Q.  You're  Chief  Warrant  Officer  4  Ronald  Nixon  of  Army  Cyber 

23  Command? 


8795 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


A.  Yes,  sir. 

Q.  What  is  your  current  position? 

A.  My  current  position,  I'm  the  senior  warrant  officer  in 

the  Enterprise  Management  Division,  G33,  Army  Cyber  Command. 

Q.  What  does  that  entail? 

A.  We  manage  literally  all  the  Army  networks  from  the  Secret 

level  and  below  across  the  Enterprise,  which  is  across  the  global 
scope,  to  include  tactical  and  strategic  systems. 

Q.  What  is  the  Enterprise? 

A.  Okay,  the  Enterprise  is  the  —  Enterprise  is  the  network 

as  a  whole.  The  Army  refers  to  it  as  the  "LandWarNet " ;  you  know, 

DISA  refers  to  it  as  the  "GIG, "  but  it  is  the  network 
all-encompassing. 

Q.  What  position  did  you  hold  prior  to  this  one? 

A.  Prior  to  that  one,  I  was  the  senior  warrant  officer  in 

the  Plans  and  Operations  Division,  G6,  III  Corps. 

Q.  What  did  that  entail? 

A.  Very  similar  duties,  but  only  on  a  tactical  scale,  so 

support  of  combat  operations;  planning  operations;  services 
management;  service  integration;  network  design. 

Q.  Where  were  you  during  that? 

A.  At  III  Corps,  at  Fort  Hood. 

Q.  What  certifications  do  you  possess? 


8796 


o 


o 


1  A.  CCMP,  Cisco  —  this  next  one  are  Cisco  certified.  CCMP, 

2  CCNA,  CCNA  Security,  CCN  VoIP,  and  CISSP. 

3  Q.  What  are  the  CCN  certifications? 

4  A.  Cisco  Certified  Network  and  the  Professional,  Associate, 

5  Associate  Security,  Associate  Voice  over  IP. 

6  Q.  What  do  those  certifications  signify? 

7  A.  An  understanding  —  a  tested  understanding  of  network 

8  architecture  and  design,  engineering  and  management. 


9 

Q. 

What  is  CISSP? 

10 

A. 

"CISSP"  is  the  —  really  the  current  industry  standard 

11 

for  security  and  information  sharing. 

12 

Q. 

What  is  your  level  of  technical  access  under  DoD  8570? 

13 

A. 

Level  III. 

14 

Q. 

What  is  the  highest  level  you  can  have? 

15 

A. 

Level  III. 

16 

Q. 

And  what  certification  is  required  for  that? 

17 

A. 

It  requires  a  technical  skill  set,  which  would  be  your  — 

18 

higher  than 

a  CCNA  and  then  —  and  then  a  policy  piece,  which  would 

19 

be  my  CISSP. 

20 

Q- 

And,  Chief  Nixon,  let's  talk  a  little  bit  about  your  last 

21 

time  to  Iraq. 

22 

A. 

Yes,  sir. 

23 

Q. 

What  was  your  position  there? 

8797 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


c  o 


A.  I  was  the  senior  warrant  in  the  Plans  and  Operations 

Division,  USF-I  J-6. 

Q.  And  when  were  you  there? 

A.  I  was  there  from  February  of  '09  until  February  of  '10. 

Q.  What  did  that  position  entail? 

A.  Network  engineering  design;  planning  for  operation 

support  for  the  entire  theater  of  Iraq. 

Q.  What  is  USF-I? 


A.  "USF-I"  was  the  four-star  headquarters  that  was  created 

when  they  combined  MNF-I  and  MNC-I  into  a  joint  four-star 
headquarters,  rolling  up  the  I  Corps  —  the  Corps  headquarters  up 
underneath  them. 

Q.  Let's  talk  a  little  bit  about  the  Global  Address  List  in 

Iraq.  What  is  the  Global  Address  List? 

A.  Okay,  the  "GAL"  —  the  "GAL,"  the  "Global,"  the  "Global 

Address  List"  --  is  --  are  you  talking  about  the  Global  Address  List 
for  a  user,  sir,  or  are  you  talking  about  the  Global  Address  List  as 
a  whole? 


Q.  As  a  whole. 

A.  Okay,  as  a  whole.  Okay,  the  Global  Address  List  is  a 

product  from  the  Active  Directory  --  Active  Directory  Global  Address 
List,  which  is  where  everyone  —  every  person  who  has  an  account  and 


8798 


© 


o 


1  access  to  that  domain  and  every  machine  that's  added  to  that  domain 

2  is  catalogued. 

3  Q.  What  is  the  Global  Address  List  for  a  user? 

4  A.  Okay,  the  Global  Address  List  for  the  user  is  the 

5  interface  that  most  of  them  see  through  Outlook;  and  what  that  is,  is 

6  in  a  sense  a  phone  book  —  it's  a  phone  book  equivalent  for  all  of 

7  your  services  out  there,  but  it  does  contain  the  user's  e-mail;  any 

8  alias  e-mail  accounts,  their  alias;  and  then  any  pertinent 

9  information  that  would  be  added  to  —  for  the  individual  user,  so  it 

10  helps  me  find  your  phone  number,  things  like  that,  sir. 

11  Q.  Approximately  how  many  people  were  on  the  USF-I  GAL  in 

12  2009/2010? 

13  A.  A  hundred  and  sixty  thousand. 

14  Q.  What  server  was  that  accessible  on? 

15  A.  Well,  across  a  run  of  servers.  You're  able  to  access  the 

16  GAL  through  —  so  for  an  Exchange  Client,  you  would  be  able  to  access 

17  the  GAL  through  Outlook  on  his  machine;  and  also  for  a  system 

18  administrator,  he  would  be  able  to  access  the  GAL  through  either  the 

19  Exchange  Server  or  the  Active  Directory  service,  the  domain 

20  controller  itself. 

21  Q.  What  type  of  information  does  the  GAL  contain? 

22  A.  Again,  from  a  individual  user  perspective,  so  Captain  von 

23  Elten,  for,  you  know,  as  an  example,  would  have  the  pertinent 


8799 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


information  for  you  when  you  first  set  up  your  account  when  you're 
added  to  the  domain;  any  alias  e-mail  addresses  you  would  have. 

Let's  say  like,  for  instance,  in  Iraq,  you  had  your  iraq.centcom.mil. 
Plus,  if  you  had  your  us.army.mil  attached  to  that  account  or  use  of 
that  account,  a  normal  CENTCOM  joint  account,  things  like  that,  for 
the  individual  user;  but  it  also  contains  the  additional  —  when 
you're  looking  at  the  GAL  from  an  Active  Directory  standpoint,  it 
also  contains  all  of  the  additional  security  information,  the 
username,  password,  certificates  that  are  attached  to  that,  and  then 
—  and  then  where  they  sit  within  the  OU  or  domain  structure. 

Q.  You  talked  about  "Active  Directory."  What  is  "Active 

Directory"? 

A.  Okay,  "Active  Directory"  is  —  "Active  Directory"  is  the 

directory  service  that  all  Microsoft  servers  use  to  be  able  to  talk 
and  interconnect  with  one  another.  Prior  to  Active  Directory, 
Exchange,  for  instance  —  I  like  to  use  Exchange  because  Exchange 
used  to  have  its  own  directory  service  a  long  time  ago.  Right  around 
2000,  they  created  Active  Directory  to  combine  all  of  those  services 
together,  to  join  them  all  in  one  place,  so  it  allows  all  the  servers 
to  be  able  to  cross-communicate,  so  SharePoint,  file  servers. 
Exchange,  things  like  that;  they're  all  allowed  to  talk,  and  it  helps 
talk  and  it  sets  the  permissions  and  what  they're  allowed  to  talk  to. 

Q.  What  is  a  "directory  service"? 


8800 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


A.  Okay,  so  "directory  service"  is  my  catalog  for  servers  to 

be  able  to  talk  to  one  another.  Without  getting  too  technical,  it 
really  is  just  —  so,  for  instance,  my  domain  controller  —  my  Active 
Directory,  my  domain  controller,  says  that  I  am  allowed  to  talk  to 
this  division  or  this  corps  at  these  levels  and  establishes  the  trust 
relationship  between  them. 

Q.  What  is  the  purpose  of  Active  Directory? 

A.  Active  Directory  is  the  core  backbone  for  all  directory 

services  for  my  Microsoft  Exchange  Server  Suite.  So  for  a  brigade- 
or  division-level  Exchange  Server  to  be  able  to  talk  to  something  — 
somebody  else  within  USF-I,  they  would  have  to  be  able  to  access 
those  primary  Active  Directory  —  the  Active  Directory  itself  to  be 
able  to  do  those  cross-talks. 

It's  also  a  certification  process,  so  if  you  wanted  to  be 
able  to  access  another  type  of  server,  like  SharePoint,  it  checks 
your  credentials  against  it  and  says,  "Oh,  yes.  Captain  von  Elten  is 
able  to  do  these  things  and  this  is  what  he's  able  to  do." 

Q.  Were  credentials  —  what  credentials  does  it  check? 

A.  Well  depending  on  how  you're  logged  on.  So  for  Iraq, 

username  and  password;  those  are  the  primary  means  for  credentials. 

Q.  What  are  "permissions"? 

A.  "Permissions"  are  what  am  I  allowed  to  do  on  a  set  system 

or  server.  You're  giving  your  user  —  you're  —  so  a  primary  example 


8801 


© 


1  is  user  services.  Okay,  by  Army  regulations,  DODI,  CGCSI 

2  regulations,  a  user's  only  allowed  to  do  certain  things  on  his 

3  machine.  He's  allowed  to  access  the  Internet.  He's  allowed  to,  you 

4  know,  open  up  and  run  programs,  but  you're  not  allowed  to  install 

5  anything  on  your  machine  as  a  user.  You  can't  even  update  your 

6  machine  anymore . 

7  Q.  How  does  Active  Directory  support  security? 

8  A.  Active  directory  supports  security  by  a  couple  of 

9  different  ways.  One  is  it  sets  everything  up  in  a  domain  structure, 

10  so  it  basically  tells  you  what's  allowed  to  and  what  can  talk  to  what 

11  within  the  network.  It  sets  and  manages  my  permission  levels  for  my 

12  individual  users,  my  system  administrators,  my  network 

13  administrators;  and  then  it  also  controls  the  trust  relationships 

14  between  the  different  domains.  So  that  trust  relationship  is  an 

15  exchange  of  information  from  one  set  of  --  one  domain  or  one  set  of 

16  servers,  to  put  it  simply.  So  like,  for  instance,  from  USF-I  to  1st 

17  Cavalry  Division,  the  domain  controllers  establish  and  maintain  that 

18  relationship,  kind  of  like  a  traffic  cop. 

19  Q.  How  does  the  Active  Directory  interact  with  the  GAL? 

20  A.  Okay,  so  you're  —  Active  Directory  for  —  okay,  so  let's 

21  take  it  from  the  GAL  perspective  from  a  user;  yes,  sir.  Okay,  so  a 

22  GAL  perspective  from  a  user,  I  am  an  e-mail  Internet  Exchange.  I  log 

23  in  to  Outlook.  The  GAL  that  I  see  from  that  is  a  product  of  the 


8802 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


o 


Active  Directory  GAL.  It  is  then  —  basically,  it's  what  the 
Exchange  Server  pulls  to  create  the  GAL,  so  it  is  a  direct  product  of 
the  Active  Directory  Global  Address  List. 

Q.  How  does  Active  Directory  interact  with  the  GAL  from  a 

systems  administrator  perspective? 

A.  Well  from  a  systems  administrator  perspective,  if  I  log 

in  to  a  system  as  a  system  administrator,  the  Active  Directory  sets 
—  says,  "Chief  Nixon  is  allowed  to  add  programs  to  this  software." 
I'm  allowed  to  push  updates.  I'm  allowed  to  do  things  that,  you 
know,  in  order  to  effect  change  on  that  machine  or  effect  change  on 
the  server  or  the  network.  Within  that  rule  set,  because  of  the 
dangers  of  system  administrator  privileges,  for  instance,  though  I'm 
not  allowed  to  have  access  to  e-mail  and  I  don't  have  access  to  an 
e-mail  account  while  I'm  logged  in  as  the  system  administrator. 

Q.  What  software  does  a  user  use  to  interact  with  the  GAL? 

A.  The  primary  would  be  Outlook;  that's  where  they  see  it 

the  most  often. 

Q.  How  many  people  created  the  NIPR  GAL  in  USF-I? 

A.  [Pause]  Reword  the  question,  sir,  please.  Or  ask  it 

different . 

Q.  How  many  people  were  involved  with  developing  it 

initially? 


8803 


© 


o 


1  A.  Okay.  The  initial  development  of  the  GAL  for  USF-I  took 

2  place  over  years.  Multi-National  Corps-Iraq  - 

3  ADC [MAJ  HURLEY]:  Pardon  me.  Chief. 

4  MJ:  Yes. 

5  ADC [MAJ  HURLEY]:  Objection,  ma'am;  personal  knowledge. 

6  MJ:  Do  you  want  to  develop  a  foundation  for  that? 

7  ATC [CPT  von  ELTEN] :  I'll  move  on,  ma'am. 

8  MJ:  All  right. 

9  Q.  Let's  talk  a  little  bit  about  the  resources  that  go  into 

10  creating  and  maintaining  the  GAL.  What  hardware  did  the  network  — 

11  did  the  GAL  use  for  the  network? 

12  A.  Okay.  So  for  the  —  for  the  GAL,  the  primary  Active 

13  Directory  and  Exchange  structure  in  Iraq,  for  NIPRNet ,  you  had  four 

14  Nexus  backbone  switches,  two  for  the  primary  and  then  two  for  the 

15  backup  COOP  in  Al  Faw  Palace.  Then  you  had  a  stack  of  64  server 

16  suites  that  supported  the  primary  site;  and  then  you  —  and  then 

17  after  that  you  also  had  all  the  normal  network  infrastructure, 

18  cabling,  router  switches,  satellite  equipment,  et  cetera. 

19  Q.  What  is  a  Nexus  switchback? 

20  A.  The  Nexus  switch  is  a  —  is  a  fiber  channel,  high  speed, 

21  low  latency  switching  backbone  that  you  use  to  support  the  back  of 

22  your  server  switches.  It  allowed  servers  to  be  able  to  communicate 


8804 


© 


o 


1  near  realtime  —  or  with  little  or  no  latency  between  each  other  at 

2  high  bandwidths . 


3 

Q. 

How  many  did  the  NIPR  GAL  use? 

4 

A. 

Four;  two  on  the  primary  and  two  on  the 

backup 

site . 

5 

Q. 

What  was  the  cost  per  - 

6 

A. 

Uh - 

7 

ADC [MAJ  HURLEY] :  Objection;  hearsay. 

8 

I'm  sorry.  Chief. 

9 

Hearsay. 

10 

MJ: 

You  want  to  call  for  a  hearsay  response 

? 

11 

ATC [CPT  von  ELTEN] :  Yes,  ma'am. 

12 

MJ: 

Sustained. 

13 

Q. 

Were  you  involved  with  contracting  for 

the  backbone 

14 

service? 

15 

A. 

Yes.  I  was  the  technical  oversight  for 

the  DRS 

contract 

16 

that  managed  all  the  USF-I  services  in  Iraq. 

17 

Q. 

And  who  managed  the  hardware? 

18 

A. 

Who  managed  the  hardware?  We  had  20  contracted 

—  20  to 

19 

24  contracted  personnel  that  worked  in  the  services 

section 

within 

20 

the  JNCC-I , 

one  warrant  officer,  one  major,  and  five  or  six 

enlisted 

21 

personnel . 

22 

Q. 

How  much  time  would  they  spend  working 

on  this? 

23 

A. 

24/7,  365,  no  breaks. 

8805 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


Q.  What  was  your  interaction  with  them? 

A.  I  worked  with  them  on  a  daily  basis  for  planning  of 

operations  and  administer  —  administration  and  fulfillment  of 
requirements  for  services  across  the  —  across  all  of  Iraq. 

Q.  How  many  servers  did  the  GAL  require  for  NIPRNet? 

A.  The  GAL  itself  would  have  been  present  on,  well,  the 

Active  Directory  itself,  so  you're  talking  about  the  64  that  —  comes 
into  that  physical  server  suite  of  64  servers  that  we  used  to 
maintain  and  run  NIPRNet  within  Iraq. 

Q.  How  many  of  those  servers  were  physical  servers? 

A.  I'm  talking  about  the  64  physical  servers. 

Q.  How  many  - 

A.  Virtual  server  environment  was  over  a  hundred. 

Q.  What  is  a  "physical  server"? 

A.  A  "physical  server"  is  a  —  is  a  Dell  or  whatever  brand 

device  that  you  can  actually  put  your  hands  on  and  hold.  You  know, 
hardware,  hard  drive,  memory,  processor,  I  can  actually  put  my  hands 
on  and  touch. 

Q.  What  is  a  "virtual  server"? 

A.  A  "virtual  server"  is  a  --  is  a  software  driven,  software 

created  server.  You  use  virtualization  to  be  able  to  reduce  the 
amount  of  physical  overhead  you  have  as  far  as  power  and  things  like 
that,  power,  physical  requirements,  for  the  server  suite;  and  it  also 


8806 


o 


9 


1  allows  you  to  share  resources  so  that  if  I  have  a  failure  in  one  I 

2  can  replicate  or  back  up  to  another  with  no  loss  of  service. 

3  Q.  How  many  contractors  work  on  the  servers? 

4  A.  We  have  —  those  20  to  24  contracted  personnel  were  the 

5  same  ones  that  did  the  maintenance  and  maintained  within  the  GAL. 

6  Q.  And  how  often  were  those  contractors  working  on  the 

7  servers? 


8  A.  24/7,  365;  always. 

9  Q.  Who  paid  their  salaries? 

10  A.  Their  salaries  were  paid  out  of  the  --  out  of  USF-I 

11  funding. 

12  ADC [MAJ  HURLEY]:  Objection,  ma'am;  hearsay. 

13  Q.  Is  that  your  personal  knowledge? 

14  A.  No;  that's  fact.  They  were  paid  out  of  the  USF-I  budget. 

15  ADC [MAJ  HURLEY] :  Thanks,  Chief. 

16  Again,  ma'am,  we  would  object  as  to  hearsay. 

17  MJ:  How  do  you  know  that? 

18  WIT:  Well  the  funding  line  came  out  of  the  USF-I  J-6  funding 

19  line  underneath  Admiral  Simpson's  oversight  for  the  DRS  contract 

20  through  JNCC-I. 

21  Q.  What  was  your  --  well. 

22  MJ:  Hold  on.  I  will  sustain  the  objection  for  now. 

23  Go  ahead. 


8807 


© 


9 


1  Q.  What  was  your  involvement  in  budgeting? 

2  A.  In  budgeting  itself,  none.  I  didn't  do  budgeting,  per 

3  se,  just  oversighted  the  —  technical  oversight  of  the  management  of 

4  the  contract. 

5  Q.  How  did  you  manage  —  did  you  manage  costs? 

6  A.  I  had  oversight  on  cost.  I  didn't  —  I  wasn't  a  yea  —  a 

7  yes  or  no  person  on  that,  but  we  managed  —  so  if  something  was  cost 

8  prohibitive  or  something  like  that,  then  we  would  weigh  in,  but  we 

9  saw  all  of  the  functions  of  the  contract. 

10  Q.  What  cabling  did  the  GAL  use? 

11  A.  The  server  infrastructure  in  our  —  used  a  massive  amount 

12  of  cabling  between  the  primary  and  secondary  sites  and  in  all  of  the 

13  cabling  infrastructure  in  and  around  Victory  Base  and  then,  of 

14  course,  every  installation  you've  got,  you've  got  a  switched 

15  infrastructure  that  follows  that,  as  well. 

16  Q.  What  cooling  and  building  infrastructure  did  the  GAL 

17  require? 

18  A.  The  server  infrastructure  at  USF-I  was  in  excess  of 

19  100,000  tons  of  cooling  and  power. 

20  Q.  What  does  that  mean? 

21  A.  Well  you  equate  —  okay,  so  when  you  cool  your  house,  you 

22  have  a  number  of  BTUs  it  takes  to  heat  or  cool  your  house,  so  a 

23  standard  wall  air  conditioner  is  15,000  BTUs.  You  can  buy  one  for 


8808 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


15,000  BTUs  at  Walmart.  So  when  we're  looking  at  tons,  so  you  take 
that  and  multiply  it  by  2,000  is  what  you're  looking  at  for  actual 
BTUs,  but  it's  the  actual  physical  cooling  requirement  for  the  serve 
—  for  the  servers  and  all  of  the  networking  equipment  that's 
supported  inside  that  building. 

Q.  What  kind  of  transmission  infrastructure  did  the  GAL  use? 

A.  Well,  the  GAL  used  —  the  GAL  —  the  server 

infrastructure,  services  infrastructure  of  Iraq  used  two  SONET  rings 
that  moved  in  and  around  Baghdad  and  you  had  a  north  and  a  south 
SONET  ring  and  then  you  had,  of  course,  the  satellite  infrastructure 
to  back  that  up. 

Q.  Let's  talk  a  little  bit  about  the  software.  What 

software  did  the  backbone  servers  require? 

A.  The  backbone  servers  required,  of  course,  your  Microsoft 

Suite  of  servers,  so  we  ran  a  mix  of  servers,  2003  and  2008,  across 
Iraq,  Enterprise  licenses  for  those,  and  you  had  Exchange,  you  had 
Active  Directory,  so  that  would  be  for  your  core  backbone  for  the 
services  that  we're  talking  about  here;  and  then  your  management 
consoles  and  then  —  and  then  all  of  the  support  infrastructure  for 
that,  antivirus,  host-based  firewalls,  and  other  services. 

Q.  What  is  "virtual  environment"  software? 

A.  Okay.  Okay,  so  in  Iraq  we  use  both  ESX  and  Vmware  to 

create  a  virtual  environment  for  all  of  our  service  —  servers  and 


8809 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


O 


services  stacks  within  Iraq.  So  you  run  a  virtual  environment  —  so 
it  allows  me  to  create  multiple  servers  on  a  single  platform  to  be 
able  to  share  —  share  my  resources. 

Q.  What  server  software  was  used? 

A.  Well,  we  use  Server  2000  --  well  we  used  Server  2003  and 

2008,  and  then  —  and  then  we  ex  —  the  Active  Directory  software 
that  was  used,  the  Management  Console,  and  then  Exchange  itself. 

Q.  How  many  licenses  were  required? 

A.  They  were  Enterprise  licenses,  so  depending  on  how  you 

purchased  from  Microsoft  at  the  time,  you  purchase  an  Enterprise 
license  and  then  based  on  the  number  of  systems.  So,  for  instance, 
let's  say  we  take  the  NIPRNet  stack,  we  ran  120,  130  instances  of 
Microsoft  Exchange  to  be  able  to  support  —  well,  no  —  Microsoft, 
sorry,  not  Microsoft  Exchange,  but  Server  2003  or  2008  to  be  able  to 
support  160,000  customers. 

Q.  How  many  licenses  did  Active  Directory  require? 

A.  It  would  have  been  the  same  thing.  It  would  have  been 

very  similar.  Again,  same  thing,  you  buy  an  Enterprise  license  to  be 
able  to  put  multiple  domain  controllers  across  the  network,  but  then 
I  have  to  buy  my  software  based  on  the  number  of  clients  that  I  have 
to  be  able  to  support,  so  in  that  case  it  would  have  been  about 
160,000. 


8810 


© 


9 


1  Q.  What  kind  of  maintenance  did  the  GAL  require  to  keep  it 

2  current? 

3  A.  Well,  of  course,  you've  got  —  you've  got  security 

4  updates  and  then  you've  got  your  daily  updates,  so  anytime  an  update 

5  comes  out  from  Microsoft,  you  have  to  be  able  to  patch  to  be  able  to 

6  maintain  security  or  maintain  stability  on  the  platform,  so  you  have 

7  Microsoft  Tuesday,  so  at  least  once  a  week,  and  then  for  antivirus 

8  and  security  sometimes  daily. 

9  Q.  Who  updated  the  GAL? 

10  A.  Again,  okay,  updating  the  GAL,  are  we  talking  about  from 

11  a  update  perspective  or  are  we  talking  about  from  a  content 

12  perspective? 

13  Q.  First,  from  an  update  perspective. 

14  A.  Okay,  from  an  update  perspective,  it  would  have  been  the 

15  same  20,  24  contractors  and  the  military  staff  that  worked  in  the 

16  JNCC-I  for  USF-I . 

17  Q.  Who  updated  the  GAL  from  a  content  perspective? 

18  A.  From  a  content  perspective,  your  updates  were  done  from 

19  all  across  the  board.  You  would  have  had  local  system  administrators 

20  who  could  do  your  account  creation,  then  you've  got  your  help  desks, 

21  and  then  you've  got  your  overall  maintenance  of  the  GAL  that  would 

22  have  been  for  Active  Directory  or  Exchange,  which  would  have  been 

23  done  at  USF-I. 


8811 


© 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


Q.  How  often  —  or  how  many  people  were  involved  with 

updating  the  content? 

A.  Okay,  well,  from  a  USF-I  perspective,  again  we're  talking 

the  same  20  to  24  personnel  plus  the  enlisted  staff,  but  that  doesn't 

count  the  ITT  contract  that  was  spread  all  over  Iraq  that  ran  all  the 
help  desks,  so  that  would  have  been  a  minimum  of  one  at  every  FOB. 

Q.  How  often  were  military  staff  working  on  those? 

A.  All  the  time. 

Q.  And  how  --  and  how  many? 

A.  Well,  dozens,  sir,  because  you  had  the  Strategic  Signal 

Battalion  that  was  stationed  out  of  Baghdad  that  supported  all  of  the 
help  desks.  Every  help  desk  had  some  type  of  military  personnel 
sitting  over  top  of  it,  so  we're  talking  about  a  signal  battalion 
worth  of  strength;  and  then  you're  talking  USF-I.  Again,  the  USF-I 
guys,  you're  talking  the  major,  the  warrant,  and  the  enlisted  guys 
that  worked  underneath  him. 

Q.  How  are  updates  pushed  out  to  the  GAL? 

A.  Updates  to  the  GAL  from  a  —  again,  from  a  content,  sir, 

or  from  a  --  from  a  maintenance  perspective? 

Q.  From  a  content  point  of  view. 

A.  From  a  content  point  of  view,  they  were  done  constantly, 

so,  again,  if  somebody  came  into  country  the  first  time  and  their 
account  was  created,  then  that  update  would  have  been  done  then  and 


8812 


O 


O 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


there.  It  does  take  about  24  hours  for  that  update  to  take  place 
when  I'm  talking  about  it  from  a  content  standpoint;  adding  the 
machine  to  the  domain,  again,  same  thing.  Those  are  reoccurring, 
kind  of  constant  things  that  happen  all  the  time.  They're  almost  a 
day-to-day  function;  and  then  my  maintenance  updates  would  have  been 
pushed  down  from  USF-I  from  my  contracted  military  staff  up  in  —  up 
at  JNCC-I. 

Q.  How  was  GAL  information  stored? 

ADC [MAJ  HURLEY]:  Objection,  Your  Honor;  relevance. 

ATC [CPT  von  ELTEN] :  It's  resources  required  to  maintaining  the 
GAL,  Your  Honor.  It  goes  to  the  valuation. 

ADC [MAJ  HURLEY]:  I  think  we've  firmly  established  the  resources 
that  are  required  to  maintain  the  GAL. 

MJ:  I'll  let  them  have  - 

ADC [MAJ  HURLEY] :  Yes,  ma'am. 

MJ:  -  some  leeway. 

Go  ahead. 

Q.  How  was  GAL  information  stored? 

A.  The  physical  storage  of  the  GAL  was  maintained  on  the  — 

on  two  —  for  NIPRNet  was  on  --  NIPR  and  SIPR  both  were  done  on  SANs 
at  USF-I  Headquarters,  that's  where  the  primary  repository  was,  and 
then  you  had  servers  at  each  and  every  instance  of  exchange  all  the 
way  across  Iraq. 


8813 


G 


Q 


Q.  What  is  a  "SAN"? 

A.  "SAN"  is  a  storage  area  network. 

Q.  How  much  does  a  SAN  hold,  how  much  storage? 

A.  Ours  was  in  the  hundreds  of  terabytes. 

Q.  How  many  SANs  were  required  for  the  NIPR  GAL? 

A.  Two;  one  primary  at  the  --  one  primary  at  USF-I 

Headquarters  and  then  one  at  the  COOP  site  in  A1  Faw  Palace. 

ATC [CPT  von  ELTEN] :  I'm  retrieving  Prosecution  Exhibit  48. 
[The  court  reporter  handed  PE  48  to  the  assistant  trial  counsel.] 


10 

ATC [CPI 

’  von  ELTEN] 

:  I'm  handing  Prosecution 

.  Exhibit  48 

to 

the 

11 

witness . 

12 

Q. 

Chief  Nixon 

,  do  you  recognize  that? 

13 

A. 

Yes,  sir. 

14 

Q. 

What  is  it? 

15 

A. 

It's  a  CD  that  says  "GAL  e-mails"  on 

there. 

16 

Q. 

Have  you  reviewed  it? 

17 

A. 

Yes,  sir. 

18 

ATC [CPI 

’  von  ELTEN] 

:  Retrieving  Prosecution 

Exhibit  48 

[pause] 

19 

and 

handing 

it  to  the  court  reporter. 

20 

Retrieving 

Prosecution  Exhibit  148bravo;  handing 

it 

to 

21 

the 

witness . 

22 

Ma'am,  permission  to  publish? 

23 

MJ: 

Proceed. 

8814 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


J 


[PE  148b  was  published  using  the  digital  projector.] 

Q.  Do  you  recognize  this.  Chief  Nixon? 

A.  Yes,  sir. 

Q.  What  is  it? 

A.  This  is  the  --  this  is  the  output  of  a  GAL  pull  from  one 

of  the  —  from  a  --  from  an  Exchange  Server  in  USF-I. 

Q.  How  do  you  know? 

A.  One,  is  I'm  looking  at  —  if  I  look  at  the  domain  names, 

they  were  all  present  in  Iraq  when  I  was  there,  iraq.centcom.mil,  for 
bct.2id,  mndb,  so  these  would  all  be  e-mail  addresses  that  were 
either  stored  locally  or  transversed  --  transverse  the  GAL;  and  then, 
of  course,  the  string,  the  way  the  string  is  set  up,  2d  BCT,  10th 
Mountain,  everything,  that  shows  —  that  shows  the  SMTP  string,  but 
if  you  were  to  go  into  Outlook  and  look  at  and  bring  up  —  and  hit 
the  little  "To"  button  and  click  and  if  you  see  e-mail,  that  would  be 
the  string  that  you  would  see  up  there. 

Q.  What  is  a  "domain"? 

A.  A  "domain"  is  the  space  that  you're  allowed  to  —  the 

name  space  that  you  operate  in  within  a  network.  So  in  Iraq,  we  used 
iraq.centcom.mil  or  preface  that  with  like  mndb.army.mil,  so  those 
are  the  operating  spaces,  the  named  operating  space  that  you  operated 
in,  so  each  —  each  one  that's  different  from  another  represents  a 


8815 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


J 


domain  that  you  had  to  have  trust  relationships  to  be  able  to  talk 
and  communicate  across  with  one  another. 

ATC [CPT  von  ELTEN] :  Thank  you. 

Returning  Prosecution  Exhibit  148bravo  [handed  to  court 

reporter] . 

Retrieving  Prosecution  Exhibit  47  and  handing  it  to  the 

witness . 

Q.  What  have  I  handed  you,  Chief  Nixon? 

A.  You  handed  me  a  CD  with  GAL  names  on  it. 

Q.  How  do  you  know? 

A.  I've  seen  it  before,  sir. 

ATC [CPT  von  ELTEN]:  Thank  you. 

Retrieving  Prosecution  Exhibit  47. 

I'm  handing  the  witness  —  I'm  retrieving  Prosecution 
Exhibit  147bravo  and  handing  it  to  the  witness. 

Ma'am,  permission  to  publish? 

MJ:  Yes. 

[PE  147b  was  published  using  the  digital  projector.] 

Q.  Do  you  recognize  this? 

A.  Yes,  sir. 

Q.  What  is  it? 

A.  This  is  the  —  this  would  be  a  —  the  names  that  you 

would  get  from  a  GAL  or  the  alias  that  somebody  would  carry  on  a  GAL. 


8816 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


So,  for  instance,  if  you  were  looking  at  Outlook  in  "To, "  if  you 
typed  in  the  first  part  of  somebody's  name  and  you  hit  "Control-K" 
this  would  be  what  you  would  see.  It's  the  user's  reference  or 
interpretation  of  GAL  information. 

Q.  What  information  is  displayed  in  any  given  entry? 

A.  Well,  any  given  entry  is  --  well,  okay,  standard  for  the 

military  is  first  name,  last  name,  rank,  and  then  unit  affiliation, 
so  —  so,  again,  you're  able  to  tag  somebody  down  to  what  unit  they 
work  at  pretty  quickly  and  easily. 

ATC [CPT  von  ELTEN] :  Returning  Prosecution  Exhibit  147bravo 
[handed  to  court  reporter] . 

Q.  What  is  a  "COOP  site"? 

A.  A  "COOP  site"  is  a  continuity  of  operations  site,  sir,  a 

backup. 

Q.  What's  its  purpose? 

A.  For  both  military  —  well,  for  Army  —  per  Army 

regulations  and  per  combat  operations  in  a  war  zone,  you  have  to  have 
the  ability  to  back  up  all  of  your  information.  So  for  Iraq,  for  the 
USF-I  services  in  Iraq,  the  Iraq  and  S-Iraq  domains,  we  created  a 
COOP  site  in  A1  Faw  Palace  to  allow  us  to  back  up. 

MJ:  What's  it  called? 

ACC:  It's  called  a  "COOP  site,"  ma'am,  continuity  of 

operations,  AR  500-3,  I  believe. 


8817 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


O 


Q.  What  resources  are  required  for  the  COOP  site? 

A.  So  for  Iraq,  we  had  to  maintain  realtime  --  we  had  to 

maintain  realtime  replication,  so  that's  why  the  Nexus  fiber  channel 
switches  were  the  primary  switches  that  we  used  for  the  backbone  of 
the  servers.  So  it  basically  requires  similar  storage,  nearly  the 
same  operating  space  and  capacity  for  the  physical  server 
environment . 

Q.  Who  had  access  to  the  NIPR  GAL  in  Iraq? 

A.  Okay,  from  a  user  perspective? 

Q.  From  a  user  perspective. 

A.  From  a  user  perspective,  you  had  access  to  the  GAL  if  you 

were  registered  within  a  domain  to  be  able  to  access  it. 

Q.  And  what  people  would  have  been  registered? 

A.  Only  people  with  created  accounts.  [Pause]  So  you've 

signed  your  user  agreement,  you've  been  cleared  to  be  able  to  do  so, 

and  you  have  an  account  created. 

Q.  What  people  in  the  United  States  would  have  had  access  to 

USF-I  GAL,  NIPR  GAL? 

A.  From  the  United  States,  none. 

Q.  So  what  people  in  Iraq  would  have  had  access  to  the  USF-I 

NIPR  GAL? 

A.  The  military  —  well,  the  people  working  on  the  USF-I 

domain  in  Iraq. 


8818 


o 


9 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


[Pause] 

ATC [CPT  von  ELTEN] :  One  moment,  Your  Honor. 

[Pause] 

ATC [CPT  von  ELTEN]:  Retrieving  Prosecution  Exhibit  48;  handing 
to  the  witness. 

Q.  Chief  Nixon,  what  information  is  on  that  CD? 

A.  It's  a  —  the  list  of  the  GAL  e-mail  traffic  —  or  the 

Exchange  pool  from  an  Exchange  Server  in  Iraq. 

Q.  How  - 

A.  So  the  e-mail  information. 

Q.  How  do  you  know? 

A.  Well,  as  we  stated  before  when  it  was  up  on  the  screen, 

you  can  see  —  one,  is  you  can  see  all  of  the  Iraq  domain  name 
information  on  there  and  the  SMTP  strings,  so  if  you  were  to  go  to, 
again,  you  go  to  "To,"  you  go  up  there  and  you  click  "E-mails,"  you 
would  actually  see  that  —  that  would  be  the  information  that  you 
would  see  up  there  in  that  —  in  that  context  box. 

Q.  How  much  access  would  an  individual  —  how  much  of  the 

GAL  could  an  individual  user  access? 

A.  [Pause]  Okay,  so  within  Exchange,  Outlook  —  Outlook 

gives  you  a  set  view  of  what  you  see  with  the  GAL,  so  that  would  be 
the  information  that's  provided  for  lack  of  a  better  term  public 
consumption  within  the  Iraq  network,  so  name,  contact  information. 


8819 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


those  types  of  things,  e-mails,  any  groups  that  you  belong  to,  that 
would  be  the  content  that  you  would  see.  You  wouldn't  be  able  to  see 
further  information  like  what  your  permissions  set  were  or  what  OUs 
you  belong  to  or  any  —  or  domain  structure  you  belong  to  for  it, 

MJ:  What  is  - 

A.  -  et  cetera.  You  wouldn't  see  - 

MJ:  - an  "OU"? 

A.  - any  of  that. 

It's  your  operating  environment  within  —  within  your 
domain  structure,  ma'am. 

Q.  What  does  "OU"  stand  for? 

A.  [Pause]  I  —  it's  escaped  me  right  now,  sir. 

Q.  How  many  user  --  how  many  of  the  160,000  accounts  could 

the  individual  user  see  when  accessing  the  GAL? 

A.  All  of  them.  If  I  —  so  when  I  hit  "Control-K"  in  Iraq, 

up  at  USF-I  Headquarters,  if  I  didn't  put  any  information  in  there  I 

would  have  pulled  all  160,000  names. 

Q.  What  if  you  weren't  at  Headquarters  but  just  on  any 

terminal? 

A.  Well,  so  —  so  if  I  was  —  let's  take  for  instance  if  I 

was  at  1st  Cav  Headquarters,  we  did  GAL  syncs  with  them  on  a  regular 
basis  with  SimpleSync,  so  they  would  be  able  to  search  my  GAL  for  a 


8820 


O 


O 


1  targeted  individual  but  they  wouldn't  necessarily  see  the  USF-I 

2  Headquarters;  so  --  so  if  you're  within  a  do  --  a  division  structure, 

3  you  could  see  25-,  30,000  names  within  that  infrastructure  so. 

4  Q.  How  would  a  user  access  the  other  130,000  names? 

5  A.  They'd  just  have  to  search  for  them.  As  long  as  they're 

6  within  the  overall  greater  Iraq  domain,  they  would  just  have  to 

7  search  for  them.  So  it's  not  a  —  it's  not  a  —  an  automatic,  "Here 

8  you  go,"  and  it's  done  to  keep  —  it's  done  to  keep  you  from 

9  overloading  the  system.  If  you  pull  down  160,000  names  in  Outlook, 

10  you  know,  you  just  lock  your  system  up  so,  you  know,  but  do  you  have 

11  access  to  all  of  them?  Yes.  Can  you  actually  pool  and  stream  and 

12  run  down  all  160,000?  No.  But,  yes,  you  can  definitely  —  you  have 

13  access  to  all  of  them. 

14  Q.  How  many  e-mail  accounts  were  reflected  on  that  CD? 

15  A.  I  want  to  say  it  was  about  24,000  that  were  on  that  CD. 

16  ATC [CPT  von  ELTEN] :  I'm  retrieving  Prosecution  Exhibit  48 

17  [retrieved  from  witness  and  handed  to  court  reporter] . 

18  I'm  retrieving  Prosecution  Exhibit  47.  I'm  handing  it  to 

19  the  witness. 

20  WIT:  Yes,  sir. 

21  Q.  How  many  names  were  on  that  CD? 

22  A.  This  —  the  names  on  the  CD  match  the  e-mail  Exchange 

23  list  verba  —  line  for  line,  so  it's  about  24,000  as  well. 


8821 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


o 


Q. 

What  names  could  be  hidden  from  the  GAL  in  2009/2010? 

A. 

We  didn't  have  the  ability  to  hide  names.  In  fact,  if 

you  look  at  the  name  list,  the  first  two  names  on  the  list  are 
General  Odierno  and  General  Austin. 


Q. 

And  who  are  they  - 

A. 

Oh,  I'm  - 

Q. 

-  at  that  time? 

A. 

They  were  the  —  the  preceding  and  incoming  USF-I 

commanders, 

so  the  four-star  generals  in  charge  of  the  theaters  of 

operations 

in  Iraq. 

ATC [CPT  von  ELTEN] :  I'm  retrieving  Prosecution  Exhibit  47  and 
giving  this  to  the  court  reporter. 


[Pause] 

Q. 

Why  didn't  the  public  have  access  to  the  NIPR  GAL? 

A. 

You  don't  want  public  access  to  your  GAL.  It's  not  a  — 

because  of 

the  information  that's  in  there,  I  mean,  I  don't  need 

anybody  to  have  General  Odierno  or  General  Austin's  desk  number,  let 
alone  contact  information,  what  groups  they  belong  to,  things  like 
that,  so  it  really  is  an  OPSEC  security  issue.  It's  not  a  publish  -■ 
public  consumption  piece. 

From  a  technical  perspective,  it  also  means  that  those 
outside  individuals  have  —  would  have  to  have  access  into  my  domain 


8822 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


Q  O 


The  NIPRNet  is  not  a  public  access  network,  regardless  of  what  people 
think. 

ATC [CPT  von  ELTEN] :  Thank  you.  No  further  questions. 

MJ:  Defense? 

ADC [MAJ  HURLEY] :  Yes,  ma'am. 

CROSS-EXAMINATION 

Questions  by  the  assistant  defense  counsel  [MAJ  HURLEY] : 

Q.  Good  afternoon,  Chief. 

A.  How  are  you  doing,  sir? 

Q.  I'm  good,  thank  you. 

Let's  start  here.  You  —  on  your  —  during  your  direct 
examination  of  Captain  von  Elten,  you  called  the  Active  Directory  the 
"backbone . " 

A.  Yes,  sir. 

Q.  And  the  backbone  is  the  resource-intensive  element  to 

this,  correct,  the  server  space,  the  personnel  requiring  it,  they're 
updating  the  Active  Directory  and  they're  working  with  the  Active 
Directory? 

A.  Well  they  work  with  all  of  the  services.  When  you  say 

"backbone,"  it  is  the  integrated  and  backbone  piece  of  the  services 
piece,  so  it's  your  anchor  point  for  all  of  your  services. 


8823 


O 


J 


1  Q.  To  continue  the  anatomical  analogy  a  little  further,  if 

2  the  —  if  the  Active  Directory  is  your  backbone,  then  the  GAL  is  just 

3  an  arm  of  it.  It's  just  a  part  of  this  integrated  service. 

4  A.  Mmmm  [sighed],  I  don't  know  if  I'd  quite  use  that 

5  analogy,  sir.  I  - 

6  Q.  It's  a  function  —  it's  a  subset  function  of  the  Active 

7  Directory. 

8  A.  It's  a  —  it ' s  a  direct  product  of  the  Active  Directory. 

9  The  Active  Directory  GAL,  the  Active  Directory  Global  Address  List  is 

10  a  culmination  of  everything  that  exists  within  Active  Directory,  so 

11  as  far  as  all  of  my  individual  machines  and  services,  all  of  my 

12  servers  and  users  within  Active  Directory,  so  that's  —  that's  where 

13  all  of  that  exists;  so  my  Exchange  GAL  is  a  direct  product  of  that. 

14  Q.  You  can  turn  off  the  Global  Address  List  as  part  of  the 

15  Active  Directory. 

16  A.  [Pause]  What  do  you  mean  "turn  off,"  sir? 

17  Q.  You  can  just  stop  the  function  from  occurring.  If 

18  someone  asks  for  the  —  for  the  Global  Address  List,  then  it  doesn't 

19  need  to  come  up;  the  Active  Directory,  that  function  doesn't  need  to 

20  be  performed. 

21  A.  I  guess  you  could  —  you  could  say  —  yeah,  okay.  Yeah, 

22  I  could  not  allow  user  access  to  - 

23  Q.  The - 


8824 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


C 


o 


A.  - yes - 

Q.  -  Global  Address  List. 

A.  Yes. 

Q.  But  in  this  hypothetical  scenario,  you  would  still 

require  that  much  server  space  and  resource  to  maintain  the  Active 
Directory. 


A.  Yes,  yes. 

Q.  So  let's  talk  about  the  GAL,  and  this  is  during  your  — 

the  period  of  your  deployment,  - 

A.  Yes. 

Q.  -  Chief,  and  as  I  understood  it,  that  was  from 

February  of  2009,  this  deployment,  February  of  2009  to  February  of 

2010. 


A. 

Q. 

A. 

Q. 

A. 

Q. 

A. 

Q. 

problems 


Yes,  sir. 

The  GAL  was  always  operational. 

Yes,  sir. 

And  you  used  the  GAL  during  this  time. 

Yes,  sir. 

And  you  never  had  a  problem  with  it. 

No,  sir. 

No  one  ever  —  you  never  heard  any  prolonged  or  sustained 
with  the  GAL  during  this  period  of  time. 


8825 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


o 


A. 

Well  you  —  I  mean,  there's  always  outages  across  a 

network 

that  size,  - 

Q. 

Right . 

A. 

-  but  that  would  be  —  yeah,  but  - 

Q. 

But - 

A. 

But  no  —  primarily,  no.  The  GAL  itself  never  went  down 

hard,  no,  sir. 

Q.  And  you  don't  recall  any  instruction  to  not  use  the  GAL, 

force-wide,  USF-I-wide;  don't  use  the  GAL,  all  personnel  in  USF-I. 


A. 

No,  sir. 

Q. 

Now  you  indicated  there  are  a  160,000.  When  you  said 

there  are  160,000  users  on  the  GAL,  - 


A. 

Yes,  sir. 

Q. 

-  that  was  when  you  left  in  February  of  20  —  of  2010; 

is  that 

—  is  that  where  you'd  pinpoint  that  160? 

A. 

Yes,  sir. 

Q. 

But  Prosecution  Exhibits  47  and  48,  the  pros  —  that  this 

—  that 

Captain  von  Elten  - 

A. 

Uh-huh  [affirmative  response] . 

Q. 

-  just  had  you  look  at,  you  said  there's  24,000 

e-mails 

on  there? 

A. 

Yeah,  about  there,  sir. 

8826 


o 


o 


1  Q.  And  the  same  24,000  e-mails  were  the  same  24,000  people 

2  on  47  and  48,  right? 

3  A.  Yes,  sir. 

4  Q.  But  that's  —  in  24,000,  that's,  you  would  agree  with  me, 

5  substantially  less  than  160,000. 

6  A.  Oh,  yes,  sir. 

7  Q.  A  point  about  the  information  on  there,  the  phone  numbers 

8  that  would  be  associated  with  the  USF-I  GAL  would  be  DSN  numbers, 

9  correct? 

10  A.  Not  all  of  them,  sir. 

11  Q.  The  —  some  would  be  DSN. 

12  A.  Some  would  be  DSN;  you  also  had  commercial  cell  phones; 

13  you  also  had  —  you  also  had  —  you  also  had  STE  phone  numbers  that 

14  were  tied  to  Iraqi  commercial  land  lines,  there  would  have  been 

15  access  to  that. 

16  Q.  You  also  had  VoIP? 

17  A.  And  you  also  had  VoIP  and  SvoIP,  yes,  sir. 

18  MJ:  What  is  "VoIP"? 

19  ADC [MAJ  HURLEY]:  Voice  over  - 

20  WIT:  Voice  over  IP,  ma'am,  digital  phones. 

21  ADC [MAJ  HURLEY]:  Just  a  moment.  Chief. 

22  WIT:  No  problem. 

23  [Pause] 


8827 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C  Q 


Q.  And  you  said  the  Active  Directory  performs  other  tasks 

besides  the  Global  Address  List. 

A.  Yes,  sir. 

Q.  It  helps  establish  shared  drives,  the  Active  Directory 


A.  Access  to  those  shared  drives,  sir. 

Q.  And  it  helps  with  other  network  tasks. 

A.  Yes,  sir. 

Q.  And  one  of  the  functions,  ultimately,  is  to  produce  the 

GAL. 


A.  Yes. 

Q.  And  the  GAL  is  —  there's  a  —  I  just  want  to  make  sure  I 

get  these  terms  right  --  there's  the  GAL  as  a  whole,  that's  one,  and 
there's  a  GAL  that  the  user  pulls  up  when  he  says,  "Show  me  the  GAL." 

A.  Yes,  sir. 

Q.  This  wasn't  your  first  deployment  to  Iraq,  was  it.  Chief? 

A.  No,  sir. 

Q.  So  just  —  I'm  going  to  go  along  with  this  a  little  bit. 

I'm  just  going  to  give  you  what  I  understand  of  the  process  and  you 
tell  me  where  that  this  isn't  - 

A.  No  problem,  sir. 

Q.  -  where  this  isn't  accurate. 

So  a  Soldier  deploys;  - 


8828 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


C 


J 


A.  Uh-huh  [affirmative  response] . 

Q.  -  gets  to  her  camp,  post,  or  station,  FOB,  COP,  or 

whatever;  - 


A.  Yes,  sir. 

Q.  -  and  then  there's  a  --  would  be  a  lag  period  of  time 

between  when  she  gets  there  and  her  e-mail  setup. 

A.  Yes,  sir;  yeah. 

Q.  And  then  eventually,  as  we  all  hope  and  pray  when  we're 

in  Iraq  or  Afghanistan,  there's  —  the  period  of  deployment  ends  and 
we  redeploy. 


A.  Yes,  sir. 

Q.  And  for  a  period  of  time,  the  GAL  will  still  reflect 

someone  who  has  redeployed;  is  that  - 

A.  Yeah,  for  a  period  of  time.  Usually,  if  things  are  done 

right,  it's  usually  24  to  48  hours;  if  not,  we  would  run  a  script 
that  deleted  any  account  that  was  inactive  for  longer  than  90  days. 

Q.  All  right,  so  if  it  was  that  —  and  that  was  a  task  that 

was  pushed  down  to  the  lower  level  communications  folks,  right,  to 

make  sure  that  that  —  the  24-to-48-hour  thing  happened? 

A.  Yeah,  that  was  a  lower  level;  the  upper  level,  the 

overhead  piece  to  that  was  the  script  for  every  90  days  for  the 

account  deletion. 


8829 


c 


o 


1  Q.  And  the  same  thing  for  someone  who  had  to  leave  in  the 

2  middle  of  the  deployment  never  to  return;  that  you  would  hope  that 

3  the  lower  level  communications  people  - 

4  A.  Yes,  sir. 

5  Q.  -  would  take  them  off  - 

6  A.  Yes,  sir. 

7  Q.  -  take  them  out  of  the  Active  Directory,  thereby 

8  taking  them  out  of  the  GAL. 

9  A.  Yes,  sir. 

10  Q.  And  that's  the  process,  right?  You  get  put  into  the 

11  Active  Directory  to  get  access  to  this  —  the  system. 

12  A.  Yes,  sir. 

13  Q.  Is  that  right? 

14  A.  Yes,  sir. 

15  Q.  And  then  once  you're  in  the  system,  as  a  user  you  can 

16  pull  a  GAL. 

17  A.  Yes,  sir;  yeah.  It  allows  you  to  log  on  to  your  machine 

18  and  then  have  visibility  or  access  to  the  GAL. 

19  Q.  So  if  a  GAL  is  taken  at  any  particular  point  in  time, 

20  there  would  be  people  in  country  with  just  no  e-mail  access  set  up 

21  yet;  that  there  would  be  people  in  country  that  just  don't  have  their 

22  e-mail  that  are  there  and  going  to  have  e-mail;  do  you  see  what  I 

23  mean? 


8830 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


A.  Um - 

Q.  I  just  get  to  a  FOB;  - 

A.  Yes,  sir. 

Q.  -  that  period  of  time  we  were  just  taking  about. 

A.  Uh-huh  [affirmative  response] . 

Q.  My  e-mail  account  isn't  set  up  yet. 

A.  Yeah,  yeah,  you  would  have  —  you  would  have  a  —  you 

would  have  a  run  of  personnel  who,  yeah,  you've  been  there  for  the 
first  24/48/72  hours,  some  may  be  up  to  a  week,  depending  on  the  size 
of  the  FOB  and  the  competency  of  the  help  desk  staff,  you  know,  you 
could  be  —  you  know,  it  could  be  a  little  ways  where  you  could  be 
sitting  around  without  access  to  e-mail;  yes,  sir. 

Q.  So  that  snapshot  that  was  taken  on  a  day  for  those 

individuals,  they  wouldn't  be  on  it. 

A.  That's  a  possibility,  yes,  sir. 

Q.  And  the  snapshot  that  was  taken  for  that  —  again  that 

same  day  for  people  who'd  redeployed  but  there  information  just 
hadn't  come  off  the  network  - 

A.  Yes,  sir;  yeah. 

ADC [MAJ  HURLEY]:  As  we  looked  at  —  Ma'am,  may  I  publish 

Prosecution  Exhibit  170  —  147bravo? 

MJ:  Yes. 

[The  assistant  defense  counsel  conferred  with  cocounsel . ] 


8831 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


e 


o 


ADC[MAJ  HURLEY]:  My  apologies,  ma'am,  I'm  going  to  publish 
Prosecution  Exhibit  148bravo. 

MJ:  All  right. 

[PE  148b  was  published  using  the  digital  projector.] 

ADC [MAJ  HURLEY]:  I  want  you  to  just  direct  your  attention 
there . 

WIT:  Yes,  sir. 


Q. 

You  indicated  to  Captain  von  Elten  on  direct  that  all  of 

these  e- 

-mails  were  —  were  Iraq-centric  e-mails,  correct? 

A. 

Yes,  sir. 

Q. 

Now,  if  I'd  linked  up  my  AKO,  would  it  show  it  for  any  of 

these  individuals? 


A. 

No,  sir. 

Q. 

It  wouldn't  show  it. 

A. 

No,  sir. 

Q. 

Would  it  show  it  to  any  user  that  was  accessing  the  GAL? 

A. 

So,  for  instance,  if  when  you  created  your  account,  - 

Q. 

Right. 

A. 

-  if  you  said,  "Hey,  I  have  an  alias  account  that  I 

need  — 

that  I  need  to  be  linked  to  this,"  or,  for  instance,  when  you 

have  an 

Enterprise  e-mail  account  right  now.  Your  Enterprise  e-mail 

account 

is  linked  to  your  AKO,  - 

Q. 

Right . 

8832 


o 


o 


1  A.  -  so  it's  —  so  that's  tied  into  it,  so  if  you  were  to 

2  look  at  this  traffic  or  if  you  were  to  look  at  this  stream  in  there 

3  now,  if  you  were  to  look  at  yourself  in  there,  you  would  see  both 

4  this  e-mail  and  that  one,  but  your  —  but  your  us.army.mil  e-mail  is 

5  not  part  of  this  domain.  It's  an  e-mail  that  exists  outside  of  this 

6  domain,  so  when  you  pull  it  here,  it  wouldn't  pull  it  here  unless  you 

7  had  traffic  that  had  traversed  that  Exchange  Server  for  some  reason. 

8  Q.  All  right.  So  typically  speaking,  when  you  would  pull  — 

9  when  the  user  would  pull  the  user  GAL,  this  is  what  you'd  see. 

10  A.  Uh-huh  [affirmative  response] . 

11  Q.  And  this  —  and  in  February  2010,  you  wouldn't  even  see 

12  an  AKO  e-mail  address  up  there. 

13  A.  No,  sir. 

14  Q.  But  nowadays  with  mail.mil,  that  might  but  - 

15  A.  And  we  did  have  —  we  did  have  a  —  excuse  me  —  we  did 

16  have  a  small  number  of  personnel  who  had  their  e-mail  accounts  linked 

17  or  like,  for  instance,  we  had  a  lot  of  CENTCOM  personnel  who  had 

18  their  e-mail  accounts  linked  to  their  deployed  account;  so  if  you, 

19  Major  Hurley,  had  CENTCOM  business  and  USF-I  business  at  the  same 

20  time,  then  we  would  have  linked  both  of  those  e-mail  accounts  within 

21  Active  Directory  to  here. 

22  Q.  And  it'd  be  —  and  it  would  pull  them  up. 

23  A.  It  would  only  pull  up  your  Iraq-centric  e-mail,  sir. 


8833 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


C  O 


Q.  Right. 

And  at  the  time  —  and  at  the  time,  and  this  was  in 
February  of  2010,  what  we  had  back  then  were  home  station  e-mail 
accounts.  So  let's  say  I  was  assigned  to  Fort  Stewart;  it  would  be 
"@stewart . army .mil"  - 

A.  Yeah,  the  preponderance  of  e-mail  was  not  Enterprise 

e-mail  at  that  time,  sir,  no. 

Q.  And  this  was  —  and  that  home  station  e-mail  address,  if 

I  deployed  from  Fort  Stewart  to  Iraq,  that's  not  reflected  up  here, 
is  it? 

A.  No,  sir. 

Q.  Okay,  and  it  wouldn't  be  reflected  in  the  user  GAL  that 

you  would  pull  from  Iraq,  right? 

A.  Only,  now,  if  we  had  access  to  —  if  we  were  syncing  with 

those  other  domains.  So,  for  instance,  I  could  search  SOCOM  or 
CENTCOM's  GAL  list  by  putting  those  personnel  in  —  because  we  had  — 
we  had  SyncServices  with  those  services.  The  same  thing  with  the 
divisions  up  to  the  corps  —  or  up  to  the  M  --  USF-I  and  down,  and  we 
did  some  syncing  with  the  swa.army.mil  domain  for  Afghanistan  and 
Kuwait  and  Qatar,  so  you  would  have  been  able  to  pull  those  as  a  user 
within  the  GAL  because  you  have  —  you  are  authenticated  onto  the 
domain. 


8834 


© 


o 


1  Q.  Would  I  have  to  pull  them  by  name  or  would  they  come  up 

2  when  I  just  did  --  when  I  tried  to  - 

3  A.  You  would  have  to  --  you  would  have  to  —  you  would  have 

4  to  do  the  search.  You  would  have  to  say,  "Hurley"  - 

5  Q.  Look  for  Chief  Nixon. 

6  A.  -  "Hurley",  Control-K,  and  then  you  would  got  —  you 

7  would  have  gotten  the  guys  in  USF-I  and  then  anybody  that  we  had  a 

8  GAL  sync  with. 

9  [Pause] 

10  ADC [MAJ  HURLEY]:  And  help  me  under  —  Ma'am,  I'm  going  to  take 

11  down  Prosecution  Exhibit  148bravo. 

12  Q.  Correct  me  if  I'm  wrong.  Chief,  if  you  —  if  you  have 

13  this  software  and  it's  working  normally,  once  the  Active  Directory  is 

14  established,  then  the  GAL  function  can  occur;  is  that  correct? 

15  A.  Yeah,  Exchange  pulls  that  GAL  from  Active  Directory. 

16  Q.  And  that's  as  easy  as  pushing  a  button. 

17  A.  [Pause]  From  a  user  perspective,  sir,  or  from  a  actual 

18  services  management  perspective? 

19  Q.  From  a  user  perspective. 

20  A.  From  a  user  perspective,  yes. 

21  ADC [MAJ  HURLEY]:  Hold  on  just  a  second.  Chief.  I've  got  some 

22  additional  - 

23  WIT:  No  problem,  sir. 


8835 


Q 


O 


1  ADC [MAJ  HURLEY]:  -  but  I  still  want  to  make  sure  I  cover 

2  everything. 

3  [There  was  a  pause  in  the  proceedings  while  the  assistant  defense 

4  counsel  reviewed  his  notes . ] 

5  Q.  Any  particular  user  wouldn't  have  had  access  to  all 

6  groups  inside  the  domain,  correct? 


7 

A. 

No,  sir. 

8 

Q. 

And  so  the  user's  access  and  the  GAL  that  they  pull  would 

9 

reflect  the  domains  that  they  have  access  to. 

10 

A. 

Yes,  sir. 

11 

Q. 

So  he  wouldn't,  as  a  user  in  that 

sense,  he  wouldn't  have 

12 

access  to 

the  entire  user  GAL. 

13 

A. 

Access  and  visibility,  sir,  that's 

what  I'm  asking  for. 

14 

access  — 

15 

Q. 

Right . 

16 

A. 

-  or  visibility.  Access,  yes; 

as  long  as  I  am  doing 

17 

sync  with 

those  other  domains,  I  can  —  I  can 

search  and  look  out 

18 

there. 

19 

Q- 

But - 

20 

A. 

But  to  just  straight  do  a  "Control 

-K"  and  them  all  - 

21 

Q. 

And  pull  it. 

22 

A. 

-  populate,  no,  sir.  It  would 

require  an  elevated 

23 

level  of 

privilege  to  be  able  to  do  something 

like  that. 

8836 


Q 


J 


1  Q.  And  just  so  I'm  clear  that  all  the  resources  you  talked 

2  about  with  Captain  von  Elten,  they're  —  they  are  required  for  the 

3  entirety  of  the  operation,  so  the  —  to  build  and  maintain  an  Active 

4  Directory,  to  do  the  other  functions  the  Active  Directory  performs, 

5  as  well  as  to  establish  a  Global  Address  List,  or  a  GAL. 

6  A.  Yes,  sir.  It's  an  —  it's  an  all-encompassing  piece. 

7  You  can't  —  servers  nowadays  are  —  it's  an  integrated  services.  I 

8  don't  have  Exchange  without  Active  Directory  or  any  of  those  other 

9  services. 

10  Q.  Now  you  indicated,  Chief,  that  the  names  on  the  CDs,  they 

11  matched  each  other,  right? 

12  A.  Yeah,  if  you  were  to  go  down  to  them,  like,  the  first  two 

13  —  the  first  two  on  the  top  of  the  GAL  were  General  Austin,  General 

14  Odierno;  if  you  were  to  look  on  the  other  two,  it  was,  you  know,  it 

15  was  also  General  Austin  and  General  Odierno 's  e-mail  addresses. 

16  Q.  Did  you  compare  those  names  or  the  information  on  that  CD 

17  to  the  Global  Address  as  of  May  of  2010;  did  you  personally  do  that? 

18  A.  Like  - 

19  Q.  Did  you  personally  compare  the  information  that  you  were 

20  given  on  the  CDs,  did  you  compare  it  to  something  other  than  what  was 

21  on  the  CDs  to  what  you  knew  the  Global  Address  was  in  May  of  2010? 

22  A.  No,  because  I  didn't  have  anything  else  other  than  — 

23  than  what  was  provided,  sir. 


8837 


o 


o 


1  Q.  So  you  didn't  —  I  mean,  logically,  you  didn't  do  a  line- 

2  by-line  comparison,  then,  to  those  things  and  then  what  was  on  the 

3  GAL. 


4  A.  No,  sir;  no.  I  could  guarantee,  though,  that  those  were 

5  both  General  Austin  and  General  Odierno's  e-mail  addresses. 

6  Unfortunately,  I  had  to  deal  with  them  on  a  regular  basis. 

7  ADC [MAJ  HURLEY] :  Thanks,  Chief. 


8  WIT:  Roger,  sir. 


9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


ADC [MAJ  HURLEY]:  Nothing  further,  ma'am. 

MJ:  Redirect? 

ATC [CPT  von  ELTEN] :  Yes,  ma'am. 

REDIRECT  EXAMINATION 

Questions  by  the  assistant  trial  counsel  [CPT  von  ELTEN] : 

Q.  Chief  Nixon,  how  many  e-mails  can  somebody  send  if  the 

Exchange  or  network  goes  down? 

A.  None. 

Q.  If  somebody  downloads  the  entire  GAL  to  a  computer,  how 

many  e-mails  can  he  send  if  the  Exchange  or  network  goes  down? 

A.  None. 

Q.  When  you  reviewed  the  names  on  Prosecution  Exhibit  47, 

A.  Yes,  sir. 

Q.  -  did  you  recognize  other  names? 


8838 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O  J 


A.  Actually,  there  were  a  couple  system  administrator  names 

that  belonged  to  USF-I  Headquarters.  If  you  go  down  the  list  a 
little  ways,  there  was  a  Specialist  Campos  who  was  on  the  list,  and 
there  were  a  number  of  group  accounts  that  I  recognized,  like  the 
Catfish  account,  which  was  all  of  the  air  movement  within  theater; 
there  were  a  couple  of  fires  brigades;  a  lot  of  group  accounts  that  I 
recognized  and  dealt  with. 

Q.  And  where  were  those  people  stationed  at  that  time? 

A.  They  were  all  in  Iraq. 

Q.  Were  they  part  of  USF-I? 

A.  Well  actually  they  weren't  part  of  just  USF-I.  They  were 

part  of  other  organizations  within  —  within  Iraq  as  a  whole.  The 
weren't  necessarily  USF-I  entities.  They  belonged  all  over  Iraq  to 
different  organizations  all  over  Iraq. 

Q.  Were  they  part  of  the  GAL? 

A.  Yes,  sir. 

[Pause] 

ATC [CPT  von  ELTEN] :  Thank  you;  nothing  further. 

[Pause] 

ADC [MAJ  HURLEY]:  I  have  some  recross. 

MJ:  All  right,  go  ahead. 


8839 


o 


o 


1  RECROSS-EXAMINATION 

2  Questions  by  the  assistant  defense  counsel  [MAJ  HURLEY] : 

3  Q.  Chief,  was  downloading  —  if  a  user  wanted  to  download 

4  the  GAL,  was  it  prohibited? 

5  A.  [Pause]  There's  — : — 

6  Q.  Let  me  rephrase  my  question.  If  a  user  wanted  to 

7  download  a  GAL  for  his  brigade,  was  that  prohibited? 

8  A.  Normally,  a  user  wouldn't  have  the  ability  to  do  that, 

9  sir.  He  would  have  to  do  a  manual  cut-and-paste  process  to  it,  and 

10  even  then  it  wouldn't  be  an  easily  executable  process  without  outside 

11  software.  It's  not  a  user  function  to  be  able  to  download  the  GAL  as 

12  a  whole. 

13  Access  —  that's  why  —  that's  why  when  we  have  the 

14  conversations,  I  do  want  to  specify  access  and  visibility  because 

15  they're  two  very  different  things.  Visibility  to  the  GAL  as  a  whole 

16  within  Iraq,  yes,  without  a  doubt,  but  to  be  able  to  actually  pull 

17  down  and  see  all  of  the  contextual  information  within  the  GAL  as  if 

18  you  were  pulling  it  down  to  an  Excel  or  CSV  file,  very  different 

19  entity  and  not  a  —  not  a  user-level  access  task. 

20  Q.  Just  to  make  sure  I've  got  it  also,  Chief,  there  can  be 

21  an  Active  Directory  without  a  GAL. 

22  A.  Yes,  sir. 

23  Q.  But  there  cannot  be  a  GAL  without  an  Active  Directory. 


8840 


c 


o 


1  A.  No,  sir. 

2  ADC [MAJ  HURLEY] :  Thanks,  Chief. 

3  MJ:  I  have  a  few  questions.  Let  me  just  make  sure  I 

4  understand  your  testimony. 

5  WIT:  Yes,  ma'am. 

6  EXAMINATION  BY  THE  COURT-MARTIAL 

7  Questions  by  the  military  judge: 

8  Q.  So  you  have  the  Active  Directory,  - 

9  A.  Yes,  ma'am. 

10  Q.  -  which  you  —  basically  you  have  to  set  up,  all  the 

11  user  account  information  goes  in,  and  it's  structured  to,  I  guess, 

12  keep  it  a  certain  way? 

13  A.  It's  just  structured  for  —  it's  structured  to  make  sure 

14  that  all  my  servers  are  able  to  talk  to  one  another  across  the 

15  network  and  maintain  my  relationships  with  other  servers  and  other 

16  domains.  The  user  build  is  just  a  —  is  a  part  of  that  Active 

17  Directory  function. 

18  Q.  So  the  user  build  would  be,  if  I'm  understanding  your 

19  testimony,  the  Active  Directory  is  structured  such  that  users  can  go 

20  in  and  with  "Control-K"  access  certain  information  about  people  who 

21  are  part  of  the  directorate. 

22  A.  Yes,  ma'am;  yes.  Yeah,  Exchange  pulls  —  the  Exchange 

23  Server,  so  you  log  in  to  Out  —  you're  using  Outlook.  Exchange  — 


8841 


o 


J 


1  the  Exchange  Server  pulls  that  information  from  Active  Directory  to 

2  present  to  you  in  a  format  that  you're  able  to  digest  so  that  you  can 

3  use  that  information;  so  if  you  hit  "Control-K"  when  you  type  in  your 

4  last  name  and  you  hit  "Control-K"  you  see  you  and  the  other  people 

5  with  your  last  name  to  begin  with;  the  more  specific  you  get,  the 

6  smaller  the  search  space  gets. 

7  Q.  Is  it  similar  to  Outlook  today  where  if  you  check 

8  addresses  or  - 


9  A. 

Yeah. 

10  Q. 

-  something  like  that? 

11  A. 

Yeah,  again,  all  that  is  different  parts  of  the  same 

12  functionality,  ma'am. 

13  Q.  If  you  download  this,  say  you  do  a  "Control-K"  and  you 

14  get  all  of  the  addresses,  are  you  able  to  go  to  particular  addresses 

15  and  then  when  you  click  on  their  names  you  get  the  properties  and  you 


16  get  the 

other  things  that  are  - 

17  A. 

Yeah;  yes,  ma'am. 

18  Q. 

-  at  the  top  of  the  screen  and  then  you  can  find  out 

19  further 

information  - 

20  A. 

Yes,  ma'am. 

21  Q. 

-  about  that  - 

22  A. 

Uh-huh  [affirmative  response] . 

23  Q. 

-  from  those  - 

8842 


C 


O 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 
23 


A.  Yes,  ma'am. 

Q.  - addresses? 

A.  Uh-huh;  yes,  ma'am. 

Q.  So  if  you  push  "Control-K"  is  it  like  a  database  thing 

that  comes  down? 

A.  It  —  it's  just  —  it's  just  another  —  it's  a  quick  key 

function,  ma'am,  to  the  same  thing;  that's  all  it  is.  It  —  so  the 
same  thing.  So  if  you're  talking  about  —  if  you  bring  up  the  "To" 
function  and  you  just  start  typing  in  names,  it's  the  same  thing. 
"Control-K"  is  just  a  quicker  way  to  do  it;  that's  all  it  is. 

MJ:  All  right,  any  follow-up  questions  based  on  mine? 

ATC [CPT  von  ELTEN] :  No,  ma'am. 

ADC [MAJ  HURLEY]:  No,  ma'am. 

MJ:  All  right,  temporary  or  permanent  excusal? 

ATC [CPT  von  ELTEN]:  Temporary. 

MJ:  All  right,  let  me  just  look  to  make  sure  I  didn't  have 

any  other  final  questions  here. 

WIT:  No  problem,  ma'am. 

MJ:  I  don't  think  I  do. 

[The  witness  was  warned,  temporarily  excused,  and  withdrew  from  the 
courtroom . ] 

TC [MAJ  FEIN]:  Ma'am,  the  United  States  requests  a  10-minute 
comfort  break. 


8843 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


MJ:  All  right,  court  is  in  recess,  then,  until  1530,  or  3:30. 

[The  court-martial  recessed  at  1525,  17  June  2013.] 

[The  court-martial  was  called  to  order  at  1537,  17  June  2013.] 

MJ:  Court  is  called  to  order.  Let  the  record  reflect  all 

parties  present  when  the  court  last  recessed  are  again  present  in 
court . 

Is  the  government  ready  to  proceed? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

The  United  States  calls  Chief  Warrant  Officer  4  Armond 

Rouillard . 

CHIEF  WARRANT  OFFICER  4  ARMOND  ROUILLARD,  U.S.  Army,  was  called  as  a 
witness  for  the  prosecution,  was  sworn,  and  testified  as  follows: 
DIRECT  EXAMINATION 

Questions  by  the  trial  counsel  [CPT  FEIN] : 

Q.  And  you  are  Chief  Warrant  Officer  4  Armond  Rouillard  of 

United  States  Army  1st  10  Command? 

A.  Yes,  sir. 

TC [MAJ  FEIN]:  Thank  you. 

Q.  Chief,  what  is  your  current  position  at  United  States 

Army  1st  10  Command? 

A.  I'm  the  senior  tech  advisor  for  the  battalion  commander, 

for  2d  Batt,  1st  10. 

Q.  And  what  does  it  mean  to  be  the  senior  tech  advisor? 


8844 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


6 


O 


A.  Advise  him  on  anything  that  affects  the  battalion 

mission,  technical  nature;  so  one  of  our  missions  is  the  Cyber  OPFOR 
Teams,  and  we  use  them  to  test  battalion  —  test  brigades  that  are 
getting  ready  to  deploy  through  attack  —  networking  attack 
methodology,  and  so  I'm  responsible  for  the  training  and  maintenance 
of  those  guys. 

Q.  And  is  that  the  mission  of  the  1st  10  Command? 

A.  1st  10  Command  is  responsible  for,  yes,  the  vulnerability 

assessment  of  our  networks  for  the  Army. 

Q.  And,  I  guess,  how  broad  or  how  comprehensive  is  that  — 

is  that  charter? 

A.  Pretty  wide.  Up  until  very  recently,  they  also  managed 

the  regional  CERTs,  which  are  directly  —  we  have  those  based  across 
the  United  States,  so  we  have  a  CERT  for  CONUS,  for  the  United 
States,  in  Fort  Huachuca;  we  have  one  for  the  southern  area,  and  so 
1st  10  manages  those  guys  and  they're  responsible  for  detecting 
attacks  or  responding  to  intrusions  or  unclassified  spillages  across 
networks . 

Q.  And  what's  a  "CERT"? 

A.  [Pause]  Computer  Emergency  Response  Team. 

Q.  Okay.  And  is  that  what  the  1st  10  Command  still  does, 

manages  the  CERTs? 


8845 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


A.  Not  anymore;  that  —  well,  we  assist  with  it  still,  but 

that  mission  has  passed  to  the  Army  Cyber,  so  we're  still  in  the 
business  of  helping  those  guys  in  managing  those,  but  we  also  have 
the  Army's  Red  Team,  Blue  Team,  Green  Team,  the  guys  that  go  out  and 
help  tactical  units  with  network  assessments  for  vulnerabilities  and 
bring  guys  in  later  to  give  them  reports. 

Q.  Okay,  you  just  threw  out  three  colors:  red,  blue,  and 

green.  Could  you  please  explain  for  the  court  what  a  "Red,"  "Blue," 
and  then  "Green"  Team,  what  they  are? 

A.  Yes,  sir. 

So  when  a  mission  gets  ready  to  deploy,  probably  about  9 
months  out  or  so,  they  stand  up  all  of  their  network  systems  and  they 

prepare  to  deploy;  and  the  first  team  they'll  get  is  a,  what  we  call 

a  Blue  Team,  which  comes  in  and  does  an  initial  assessment.  It  will 
assess  the  network,  look  for  vulnerabilities,  kind  of  help  them 
figure  out  what  their  general  network  posture  is,  because  a  lot  of 
these  systems  are  fielded  from  PMs,  they  might  have  default 
configurations,  so  we  go  through  a  process  where  the  Blue  Team  comes 
out  and  does  an  assessment;  gives  a  report  back  to  the  commander. 

After  they've  had  a  little  bit,  then  they  —  maybe  a 
month  or  so,  then  a  Green  Team  comes  out  and  does  pretty  much  the 
same  thing  and  will  sit  there  and  help  the  green  suiters,  or  the 
unit,  configure  their  equipment  to  meet  the  suggested  configuration 


8846 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


changes  so  they're  not  in  default  config,  protect  —  protecting  from 
attacks . 

Later  on,  probably  3  or  4  months  before  they  deploy, 
during  an  MRX  or  a  Warfighter  or  some  exercise,  they'll  have  the  Red 
Team  come  out,  which  is  one  of  the  final  stages,  and  the  Red  Team 
will  actually  simulate  the  enemy  and  try  to  attack  their  network 
through  social  engineering  or  other  cyber  attack-type  tools,  and 
then,  again,  they  give  a  report  back  to  the  commander  on  how 
effective  they  were;  what  —  some  configuration  changes  they  need. 

All  that  happens  at  home  station. 

The  final  part  of  that  assessment  is  these  Cyber  OPFOR 
Teams,  which  2d  Battalion,  1st  10  has;  and  as  the  brigade  is  at  NTC 
or  JRTC  getting  ready  to  deploy,  they,  again,  stand  up  but  the 
commander  is  now  in  his  operational  focus.  We  have  the  OPFOR  guys  on 
site  simulating  enemy  and  try  to  break  into  their  systems  to 
demonstrate  to  the  commander  what  the  effects  of  the  cyber  domain 
are . 

Q.  And  you  just  used  two  other  terms.  Could  you  explain, 

please,  for  the  court  what  you  mean  by  "attacks,"  prevent  "attacks"? 

A.  Right,  so  vuln  —  we  perform  a  lot  of  vulnerability 

assessment;  look  at  it  —  look  at  the  networks  or  the  configurations 
of  their  network  equipment  or  their  services,  their  Enterprise-level 
services,  like  Active  Directory  or  Exchange,  and  we  assess  it  for 


8847 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


© 


vulnerabilities  to  help  them  defend  better;  help  them  implement  the 
appropriate  configurations  into  their  systems. 

Q.  And  which  networks  are  you  —  are  you  talking  about? 

A.  Primarily  SIPRNet. 

Q.  And  what  about  NIPRNet ,  also? 

A.  We  do  also  assist  with  the  assessment  of  those. 

Primarily  at  CTCs,  they  always  stand  up  the  SIPRNet,  but  if  they 
bring  out  a  NIPRNet,  then  we'll  also  assist  with  those. 

Q.  What  is  your  current  branch  and  MOS? 

A.  I'm  a  25  Sierra. 

Q.  What  is  that? 

A.  It's  an  information  protection  technician. 

Q.  Okay. 

A.  So  about  2008  —  2007/2008,  the  Army  realized  that  we  had 

this  cyber  domain  similar  to  air,  sea,  land.  We  also  encount  —  we 
also  encountered  a  lot  of  combat  in  the  cyber  domain;  so  realizing  we 
needed  to  fill  that  —  defend  that  gap,  the  Warrant  Officer  Corps 
assessed  the  signal  warrants,  assessed  that  we  needed  to  provide 
additional  training  to  help  our  guys  be  the  technical  experts  on  the 
ground  for  protecting  this  domain.  So  we  created  a  25  Sierra  MOS, 
which  is  fed  from  the  Alphas  —  the  255Alphas  and  the  255Novembers, 
which  are  signal  warrants,  through  an  assessment  process.  They  have 
to  be  IA  Level  3,  which  requires  a  certain  level  of  certification. 


8848 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


e 


j 


They  submit  a  resume,  which  is  a,  you  know,  a  well-defined  skill  set; 
that  they've  worked  in  the  information  assurance  field,  and  then 
they're  given  a  assessment  exam;  and  if  they  meet  all  of  those 
requirements,  they  come  to  Fort  Gordon  to  the  25  Sierra  course  and 
attend  about  6  months  in  training  on  network  defense  capabilities, 
such  as  forensics;  perimeter  defense;  pen  testing,  which  is  that 
vulnerability  assessment  from  the  outside  trying  to  attack  into  a 
network  and  looking  for  a  way  that  it  can  be  exploited;  incident 
handling  and  other  cyber  domain-related  skills. 

Q.  And  what  year  was  the  25  Sierra  MOS  created? 

A.  Officially,  we  started  flagging  warrant  officers  as  25 

Sierras  just  this  past  fiscal  year.  We've  been  training  them  since 
2009  and  —  or  2010,  I  believe,  right  around  in  that  period.  We 
started  designing  the  course  about  2008,  and  I  was  part  —  one  of  the 
guys  that  they  reached  out  and  said,  "What  needs  to  be  in  this 
course?"  because  I  had  been  working  in  the  field  for  a  while  on  this. 
When  we  assessed,  we  kind  of  did  a  lot  of  broad  sweeps,  looking  for 
what  commanders  were  looking  for;  what  were  the  holes  that  we  could 
fill  as  signal  warrant  officers  to  fill  that  gap?  It's  been 
successful  in  the  model  to  the  point  that  the  Signal  —  the  Signal 
Corps  is  now  also  developing  similar  tracks  for  our  enlisted  and  for 


our  officers. 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


o 


Q.  And  what  was  your  role  —  or,  excuse  me,  have  you  ever 

taught  in  the  field  of  cyber  security? 

A.  I  have.  So  I  was  one  of  the  eight  selected  as  one  of  the 

initial  instructors  for  the  25  Sierra  course.  A  lot  of  them, 
especially  in  this  type  of  field,  in  the  cyber  field,  you  have 
specializations,  so  my  specialization  was  securing  Windows 
environments  and  the  pen  testing  area. 

Q.  And,  again,  what  is  —  what  specifically  "pen  testing"? 

Well,  not  too  technically,  just  in  layman's  purposes. 

A.  Just  to  attack  or  assess  a  network  from  an  external  view 

kind  of  thing.  So  you're  assessing  that  network  posture,  looking  for 
potential  ways  that  an  adversary  could  exploit  it  for  their  gain. 

Q.  And  how  long  did  you  instruct  or  teach  as  a  25  Sierra? 

A.  Three  and  a  half  years. 

Q.  Are  you  still  currently  instructing? 

A.  I  do,  actually,  so  I'm  —  twice  a  year  I  travel  back  down 

to  Fort  Gordon  TDY  and  I  teach  the  securing  Windows  block. 

Q.  And  what  do  you  mean  by  "securing  Windows"? 

A.  Our  course  —  part  of  our  courseware  is  based  on  industry 

standard.  SANs  is  a  well-known  corporation  for  training  in  this 
field,  and  so  the  Army  uses  SANs  training  for  portions  of  ensuring 
that  our  information  protection  warrants  are  trained  properly  and 
certified  according  to  industry  standard,  so  one  of  the  courses  that 


8850 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


U  O 


we  have  is  the  securing  Windows  and  preventing  malware,  which  I'm 
responsible  for. 

Q.  And  you  spoke  about  certifications.  What  type  of 

certifications  do  you  have? 

A.  I  have  a  number  of  certifications.  I  started  certifying 

as  a  system  administrator,  so  I  have  various  Microsoft  certifications 
in  administration,  such  as  Server  2003,  2008.  I  have  Exchange 
certifications  for  —  and  all  the  Microsoft  certifications  are  based 
on  knowledge  and  expertise  and  experience  for  whatever  you've  been 
certified  in.  In  the  cyber  field,  I  also  have  six  GIAC 
certifications,  which  are  the  certs  that  we  use  to  standardize  our 
training  for  the  25  Sierras,  and  some  of  those  would  be  securing 
Windows;  pen  testing;  incident  handling;  securing  the  perimeter;  and 
a  couple  others. 

Q.  And  what  do  you  mean  by  "securing  the  perimeter"? 

A.  "Securing  the  perimeter"  involves  all  of  the  network-type 

gear  that  would  be  on  the  external  part  of  a  network,  so  you  have  the 
user  part  of  the  network,  where  a  lot  of  computers  plug  in;  and  you 
have  the  services  part  of  the  network,  where  you've  got  your  servers 
and  your  Enterprise-level  services,  such  as  SharePoint  and  Exchange; 
and  then  you've  got  the  perimeter,  with  your  firewalls  and  your 
intrusion  detection  devices  and  router  configurations  and  that  kind 
of  thing. 


8851 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C  Q 


Q.  And  what  were  your  duties  or  your  assignment  prior  to 

being  assigned  to  1st  10  Command,  at  Fort  Belvoir? 

A.  So  prior  to  that,  I  was  an  instructor  at  Fort  Gordon. 

Before  there,  I  worked  at  the  Microsoft  Security  Response  Center  for 
a  year  on  a  Training  with  Industry  Program,  so  the  military  has  a 
program  where  they'll  take  a  green  suiter,  put  us  into  a  civilian 
corporation,  and  I  got  —  I  had  the  luck  of  working  at  Microsoft  in 
the  place  where  they  handle  all  of  the  zero-day  exploits  that 
Microsoft  works  with;  and  a  "zero-day  exploit"  is  something  such  as 
an  exploit  that  there's  no  known  patch  for  that  vulnerability  for  yet 
and  those  are  highly  valuable,  so  the  Microsoft  Security  Response 
Center,  the  MSRC,  really  taught  me  a  lot  about  how  corporations  deal 
with  this  threat  of  malware  or  malicious  software  vulnerabilities  in 
their  operating  systems  and  how  they  respond  to  it,  how  they  triage 
it,  how  their  teams  handle  it  at  the  program  manager  level  type 
thing;  and  then  prior  to  walking  backwards,  prior  to  working  at  MSRC, 
I've  been  a  system  administrator  at  the  BCT  and  the  division  level 
since  '94;  and  then  prior  to  that  was  phones. 

Q.  What  about  your  experience,  if  any,  with  mail  server 

certifications  or  just  e-mail  servers? 

A.  Since  —  from  '94  through  —  1994  through  2007,  I  ran 

Enterprise-level  services  for  the  Army  at  the  brigade  and  division 
level;  that  includes  Active  Directory,  Exchange,  SharePoint,  update 


8852 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


G 


J 


servers,  client  management,  building  the  local  network,  configuring 
the  local  network,  that  kind  of  stuff.  The  easiest  way  to  sum  that 
up  is  commanders  expect  garrison-style  services  in  a  tactical 
environment  and  so  that's  what  we  provide. 

Q.  And  in  your  current  capacity,  what  echelons  do  you 

currently  work  with,  within  the  command  structure? 

A.  I'm  not  really  sure  - 

Q.  Well,  I'm  sorry.  You  previously  testified  that  you,  at 

1st  10  Command,  provide  Red  Team  and  OPFOR  support.  What  levels  do 
you  provide  that  support  to? 

A.  Oh,  yes,  sir.  Any  —  any  unit  that  requests  it,  so  it 

could  be  anywhere  from  a  strategic  unit  at  the  base.  It  could  be 
Fort  Meade  could  request  a  pen  test.  It  could  be  a  command  unit, 
such  as  Army  Cyber.  Army  Cyber  may  request  a  pen  test,  or  it  could 
be  a  single  brigade  combat  team,  so  the  scope  range  is  pretty  wide. 

Q.  And  have  you  deployed  before? 

A.  I've  —  yes,  sir.  I've  deployed  a  couple  —  a  couple 

times.  The  last  two  deployments  were  with  1st  Cav  into  Iraq  in 
2004/2005  and  2007/2008.  I  was  one  of  the  two  senior  warrant 
officers  in  the  G6  for  the  division  at  MND-B  on  - 

Q.  And  what  was  - 

A.  -  Fort  —  on  Camp  Liberty. 


8853 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C  J 


Q.  -  and  what  was  your  role  during  those  two  deployments; 

what  were  your  duties? 

A.  Yeah,  me  and  my  other  chief,  we  basically  man  --  we 

managed  all  of  the  Enterprise-level  services  and  the  network  that 
supported  the  3,000  clients  that  were  on  Camp  Liberty,  and  then  the 
outreaching  bases;  so  first  deployment  we  managed  a  Active  Directory 
and  Exchange  configuration  for  —  I  can  use  FOB  names,  right? 

Q.  You  can. 

A.  Camp  Taji,  Camp  Falcon,  Green  Zone,  and  Camp  Liberty, 

tied  all  those  together  in  a  single  network  that  spanned  the  WAN 
basically,  or  spanned  the  Wide  Area  Network  across  Baghdad;  and  then 
the  second  deployment,  the  BCTs,  we  assisted  the  BCTs  in  standing  up 
there  own  domain-level  services  so  we  didn't  have  as  much  network 
traffic. 

Q.  And  when  you  said  "spanned  the  WAN,  the  Wide  Area 

Network,"  could  you  just  briefly  explain  what  you  mean? 

A.  Yes,  sir.  So  tactical  networks,  when  we  put  in  tactical 

networks,  it's  very  similar  to  a  commercial  network,  just  a  much  more 
limited  availability,  so  like  Fort  Meade  is  tied  to  Fort  Belvoir 
across  a  network,  both  with  phone  and  with  data,  but  in  a  tactical 
environment,  the  Army  has  to  put  those  systems  in,  so  we  have  signal 
assemblages  through  satellite  or  line  of  shot  --  line  of  sight  that 
will  establish  the  connectivity,  which  introduces  some  unique 


8854 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


o 


variables  into,  you  know,  signaling  where  we've  got  to  manage 
bandwidth  a  lot  better  than  in  a  garrison  environment,  but  it  allowed 
us  to  connect  the  —  having  all  of  the  servers  on  Camp  Liberty  for 
the  first  deployment  allowed  us  to  manage  all  the  users  in  one 
location  rather  than  having  them  scattered  across  the  different  FOBs. 

Q.  Now  is  that  true  for  NIPR  and  SIPR? 

A.  Yes,  sir,  and  Centrix. 

Q.  And  Centrix.  What  is  "Centrix"? 

A.  It's  the  —  we  call  it  the  "blue  network,"  so  it's  a 

network  that's  higher  than  unclassified  but  lower  than  SIPR  that 
we're  allow  —  that  we  share  classified  information  with  our 
coalition  partners,  whoever 's  in  that  area,  so  there's  a  coal  — 
there's  a  Centrix-Iraq;  there's  a  Centrix-Af ghanistan .  They're 
separate  networks  that  have  a  certain  pool  of  coalition  partners  that 
have  access  to  that  network. 

Q.  And  earlier  you  said  that  when  you  set  up  a  network, 

tactically  there's  —  you  have  to  be  concerned  about  "limited 
availability."  What  do  you  mean  by  that? 

A.  Primarily,  the  bandwidth,  so  here  to  Fort  Belvoir  in  a 

garrison  environment,  we've  got  very  large  data  pipes  and  it  doesn't 
really  matter  what  users  do  as  far  as  impacting  on  the  network 
because  the  network  will  support  it.  In  a  tactical  environment,  we 
try  to  limit  —  we're  much  more  cognizant  of  users  on  the  network 


8855 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


e 


o 


because  it  directly  affects  missions  that  are  going  on.  If,  for 
instance,  I've  got  a  lot  of  people  surfing  the  Web  doing  recreational 
browsing,  it'll  --  it  may  directly  affect  the  commander's  BUB  --  or 
the  commander's  battle  update  brief  or  it  might  affect  a  UAV  feed  or 
something  else,  and  so  we're  very  aware  of  monitoring  bandwidth 
utilization  of  a  tactical  network. 

Q.  And  when  setting  up  these  tactical  networks  on  —  at 

least  for  NIPR,  who  can  have  —  or  who  does  have  access  to  the 
information  on  the  NIPR  network? 

A.  So  who  has  access  to  NIPRNet? 

Q.  [Nodded  head  indicating  an  affirmative  response.] 

A.  Just  about  every  Soldier;  any  Soldier  in  the  deployed 

environment  that  would  have  access  to  the  computer.  Most  all  the 
computers  are  plugged  in  to  the  NIPRNet,  the  unclassified  machines. 

Q.  What  is  "USF-I"? 

A.  That's  the  —  when  I  was  deployed,  it  was  the  "MNC-I," 

and  it's  now  —  that's  the  U.S.  Forces-Iraq,  so  that's  what  MNC-I  had 
morphed  into  after  my  departure  from  theater.  So  it's  —  it's 
basically  what  I  call  the  "Corps  Headquarters,"  so  it's  the  higher 
headquarters  that  manages  all  of  the  divisions  in  Baghdad  --  or  in 
Iraq. 

Q.  And  when  you  were  in  Iraq  in  2008,  what  client  did  then 

MNC-I  use  to  manage  e-mail  in  Iraq? 


8856 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


(J  O 


A.  [Pause]  They  used  Outlook.  Outlook  is  the  user  client 

that  resides  on  the  work  station.  The  Army  has  chosen  to  use 
Microsoft  products  for  their  Enterprise  solutions,  so  the  brigades, 
divisions,  and  corps  and  all  them  are  fielded  primar  —  for  their 
Enterprise-level  services  with  Microsoft  Server  for  the  user 
management,  Microsoft  Exchange  for  the  mail,  and  Microsoft  SharePoint 
for  document  sharing;  those  are  the  primary  three,  Enterprise-level- 
type  services  that  you  would  encounter. 

Q.  And  what  is  a  "Global  Address  List,"  or  "GAL"? 

A.  The  "Global  Address  List"  is  a  list  of  all  of  the  e-mail 

addresses  available  to  a  user  to  send  e-mail  to. 

Q.  And  what  networks  had  a  GAL  in  Iraq? 

A.  All  —  all  three  of  them,  the  NIPR,  SIPR,  and  Centrix. 

Q.  And  who  had  access  to  each  —  or  at  least  to  the  NIPR 

GAL? 

A.  Any  —  anyone  who  had  access  - 

ADC [CPT  TOOMAN] :  Objection. 

MJ:  Yes? 

ADC [CPT  TOOMAN]:  Personal  knowledge. 

TC [MAJ  FEIN]:  Your  Honor,  may  I  ask  a  foundational  question. 

MJ:  Go  right  ahead. 

Q.  When  you  were  in  Iraq  in  2007  to  2008,  who  had  access  to 

the  precursor  of  the  USF-I  GAL  - 


8857 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


J 


A. 

Anyone  with  - 

Q. 

-  and  Outlook? 

A. 

-  anyone  with  access  to  the  NIPRNet  that  had  --  well. 

anyone  that 

had  access  to  the  NIPRNet  that  had  a  user  account. 

MJ: 

How  do  you  know  that? 

WIT: 

All  —  Ma'am,  all  user  accounts  have  an  e-mail  address. 

and  to  get  access  to  the  GAL,  they  just  open  up  Outlook  and  the  GAL 
is  there. 

ADC [CPT  TOOMAN] :  We  would  now  object  based  on  relevance.  What 
was  true  in  2007  and  2008  was  not  necessarily  true  in  2009/2010, 
which  is  the  time  frame  at  issue. 

MJ:  Are  you  going  to  carry  this  over? 

TC [MAJ  FEIN]:  Ma'am,  may  I  ask  additional  questions  for 


foundation. 

if  that's  the  new  objection? 

MJ: 

Go  ahead. 

Q. 

How  many  years  have  you  been  working  with  Microsoft 

products  dealing  with  e-mail? 


A. 

Since  Microsoft  Exchange  5.5,  which  would  have  been 

around  '98/' 

'99,  I  believe. 

Q. 

And  have  you  worked  with  --  well  you  said  Microsoft 

Exchange,  at  that  time  5.5  or  something,  and  it's  successors  since 
then? 


8858 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


A.  Yes;  so  5.5,  to  2000,  to  2003,  to  2010.  I'm  a  Microsoft 

certified  trainer,  so  I  constantly  work  with  the  Microsoft  products; 
and  for  the  signal  course,  for  the  warrant  —  signal  warrant 
officers,  I  instruct  a  5-day  block  for  Exchange  Server. 

Q.  And  in  your  current  capacity  —  or  in  your  capacity  as  a 

trainer  and  your  capacity  at  ARCYBER  —  excuse  me,  not  ARCYBER,  1st 
10  Command,  do  you  have  personal  knowledge  of  the  different  types  of 
—  if  —  whether  —  excuse  me,  if  Microsoft  Outlook  and  Exchange  are 
used  across  the  Army  on  NIPRNet? 

A.  I  am. 

Q.  Including  in,  at  the  time,  Iraq  and  currently  in 

Afghanistan? 

A.  Yes,  sir.  So  the  systems  that  the  brigades,  divisions, 

and  corps  use  is  called  the  "BCCS,"  or  Battle  Command  Control  System. 
It's  a  system  fielded  by  Tactical  Battle  Command  to  all  of  the  active 
duty  guy  —  active  duty  signal  units  that  provides  their  Enterprise- 
level  services.  All  of  them  are  fielded  the  same.  We  train  all  of 
the  Soldiers  at  Fort  Gordon  on  how  to  operate  these  systems,  and  so 
they  have  a  general  consistency  on  how  they're  configured  and 
fielded.  Part  of  that  fielding  is  their  Active  Directory 
configuration,  their  Exchange  configuration,  and  so  on,  their 
SharePoint  configuration.  - 

Q.  Well  - 


8859 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


©  © 


A.  The  - 

Q.  I'm  sorry.  Chief. 

A.  No,  sir. 

Q.  Was  that  true  in  2007? 

A.  Yes,  sir. 

Q.  Was  that  true  in  2008? 

A.  Yes,  sir. 

Q.  Was  that  true  in  2009? 

A.  Yes,  sir. 

Q.  What  about  2010? 

A.  Yes,  sir. 

Q.  2011? 

A.  Yes,  sir. 

Q.  Today? 

A.  Yes,  sir. 

TC [MAJ  FEIN]:  Your  Honor,  I  think  a  proper  foundation  has  been 
laid  here  on  whether  the  witness  knows  whether  Microsoft  Outlook  was 
used  in  Iraq  during  the  time. 

MJ:  All  right,  the  personal  knowledge  is  overruled,  so  why 

are  we  talking  about  2007  and  2008? 

TC [MAJ  FEIN]:  Ma'am,  the  only  reason  for  the  2007/2008  is 
simply  to  lay  a  foundation  for  Chief  Rouillard  being  qualified  as  an 
expert  in  Global  Address  Lists,  their  value,  cyber  threats. 


8860 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


C 


o 


MJ:  All  right,  you  heard  what  the  government  wants  to  do. 

Are  you  going  to  object  to  this  expertise  or? 

ADC [CPT  TOOMAN] :  We  will  object  to  Chief  Rouillard  being  an 
expert  in  valuation;  yes,  ma'am. 

MJ:  All  right,  continue  on  with  your  foundation. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Relevance  overruled. 

[Pause] 

TC [MAJ  FEIN]:  May  I  have  a  moment.  Your  Honor? 

MJ:  Uh-huh  [affirmative  response] . 

[Pause] 

Q.  Who  had  —  who  —  again,  going  back  to  Iraq,  who  had 

access  to  the  NIPR  GAL  in  2010? 

A.  [Pause]  All  personnel  who  worked  in  a  staff  environment 

or  needed  access  to  e-mail  for  their  daily  duties  would  have  had 
access  —  if  they  had  an  —  basically,  if  they  had  an  e-mail  address 
and  had  an  active  account,  they  had  access  to  the  GAL. 

Q.  Could  any  person  on  Earth  have  that  access? 

A.  No.  Well,  they  could,  but  you  would  need  a  demonstrated 

I  need  to  have,  so  we  had  a  large  number  of  Soldiers  in  theater.  A 
lot  of  Soldiers  were  doing  other  duties  that  didn't  require  e-mail, 
so  if  they  were  on  a  team  that  kicked  in  doors  or  something  like  that 


8861 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


or  went  out  constantly,  they  wouldn't  necessarily  have  an  e-mail 
account  for  - 

Q.  And  who  outside  the  Army  or  Department  of  Defense  had 

access  to  it? 

A.  To  our  e-mail  servers?  Nobody. 

Q.  To  —  correct. 

A.  Yeah,  nobody. 

Q.  How  is  a  GAL  created? 

ADC [CPT  TOOMAN] :  Objection;  cumulative. 

MJ:  Overruled. 

A.  So  the  GAL  is  just  a  list  of  e-mail  addresses.  Well,  I 

say  "just"  but  it's  a  list  of  e-mail  addresses  that's  created 
automatically  when  mailbox  is  created  for  that  user.  So  when  you  go 
into  an  Exchange  Server  and  I  create  a  user  —  a  user  mailbox,  an  e- 
mail  address  is  created  and  added  into  a  different  portion  of  the 
Exchange  Server.  The  Exchange  Server  takes  all  of  those  e-mail 
addresses,  compiles  them  into  what's  called  the  "GAL"  and  creates  a 
GAL  for  that  server. 

In  Iraq  or  in  a  —  in  our  deployed  environments  or  even 
in  the  corporations,  connectors  are  put  between  different  Exchange 
Servers.  Those  Exchange  Servers,  such  as  a  brigade  and  its  division, 
will  then  exchange  a  copy  of  their  GALs,  to  keep  it  simple.  They 
exchange  a  copy  of  their  GALs  and  they  get  one  larger  GAL  with  both 


8862 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C 


o 


the  division  and  the  brigade,  and  that  happens  up  the  chain,  so  to 
speak,  so  then  at  MNC-I  or  USF-I,  then,  that  division  GAL,  which  has 
been  built  with  all  of  the  brigades  in  the  division,  gets  replicated 
to  the  corps  level  and  now  that  single  corps  level  is  replicated 
across;  that's  why  you  can  sit  in  2d  Brigade,  4ID,  and  e-mail 
somebody  in  2d  Brigade,  1st  Cav,  who's  sitting  next  to  each  other  but 
are  on  different  servers  because  they  share  a  common  GAL  and  that's 
why  we  do  it. 

Q.  So  going  back  to  un  —  well,  not  unfortunately,  but  your 

very  first  step  you  said  once  the  user  information  is  "inputted"; 
what  do  you  mean  by  that? 

A.  So  as  certain  users  need  access  to  Active  Directory  or  an 

e-mail  account,  when  that  user  account  is  created,  they're  given  an 
e-mail  address;  that  e-mail  address  for  us,  for  1st  Cav,  from  2003  to 
when  I  left  and  even  how  we  train  guys  at  TRADOC  now,  we  train  them 
to  use  the  AKO  mail,  so,  for  instance,  mine's  Armond. Rouillard.  My 
Armond.Rouillard  instead  of  being  @us. army. mil  is  now  @ led. army. mil; 
and  we  do  that  for  a  number  of  reasons.  The  primary  reason  is  so  if 
I  have  a  bunch  of  John  Smiths  in  the  brigade,  that  John  Smith  is  the 
same.  I  don't  have  to  worry  about  deconflicting  it  because  on  AKO  or 
the  U.S.  Army  mil  has  already  deconflicted  all  that.  So  if  Captain 
Smith  is  John.Smith3  on  AKO,  when  he  gets  his  account  created  in  the 
brigade  server,  he'll  be  John.Smith3@2bctlid.army.mil. 


8863 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


G 


O 


Q.  Okay,  and  when  you  talk  about  account  creation,  who  does 

that? 

A.  Normally,  our  help  —  the  G6  Help  Desk  or  the  S-6  Help 

Desk  will  do  it  or  the  tech  guys,  but  it's  all  —  it's  most  always  in 
the  S-6/G6  area. 

Q.  So  --  so  in  order  to  have  e-mails  populate  the  GAL,  what 

must  a  potential  user  do? 

A.  They  must  request  an  account. 

Q.  Okay,  and  then  what  happens  with  that  request? 

A.  It's  given  to  the  G6  area,  the  help  desk,  and  they  either 

approve  it  or  disapprove  it;  and  if  they  approve  it,  they  create  the 
account . 

Q.  And  briefly,  how  does  a  account  get  created  by  that 

individual  Soldier? 

A.  So  there's  two  parts  to  it,  because  there's  Active 

Directory  and  Exchange,  so  I  have  to  create  the  Active  Directory 
account  first,  which  normally  it  was  our  help  desk,  it'd  be  -- 
Specialist  Stone  was  my  guy.  He  would  sit  down,  open  the  terminal, 
open  up  the  Active  Directory  management  tool  and  create  the  user 
account  from  the  request  form  that  was  filled  out  by  the  person 
requesting  the  account.  It  would  have  such  things  as  first  name, 
last  name,  AKO  mail  address,  unit  you  worked  in,  any  potential 
distribution  lists  you  needed  to  be  on.  Distribution  lists  is  just  a 


8864 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


collection  of  e-mail  addresses  I  could  e-mail  quickly,  so  if  I  wanted 
to  e-mail  Command  Group,  I  could  e-mail  Command  Group@lcd.army.mil 
and  it  would  go  to  everybody  in  that  group;  and  so  you  might  have  a 
number  of  those,  and  so  that  Active  Directory  account  gets  created  so 
that  they  can  log  in  to  the  domain  and  then  an  e-mail  account  is  then 
created  which  creates  a  mailbox  for  them  and  gives  them  their  actual 
mail  address. 

Q.  So  from  receipt  of  the  request  form  to  completion  of  an 

e-mail  account  and  population  into  the  GAL,  how  much  time  is  a  single 
Soldier  or  civilian  spending  on  that  one  e-mail  account,  on  average? 

A.  If  it's  an  individual  one,  probably  10,  15  minutes  from 

the  time  they  get  the  form  to  filling  out  all  the  information  to  it 
populating.  There  are  automated  tools  that  allow  us  to  do  that,  that 
sometimes  we'll  prep  before  we  deploy  so  we'll  have  a  spreadsheet 
with  a  bunch  of  the  information  already  filled  out  and  we  can  import 
it  all  at  once,  but  historically  it's  been  easier  for  us  just  to  get 
the  forms,  fill  it  out  from  the  form,  and  put  it  in. 

[Pause] 

Q.  What  other  resources,  other  than  the  Soldiers  or 

civilians  you  just  spoke  about,  are  required  to  create  the  GAL? 

A.  The  Soldier's  workstation  in  the  help  desk  area  that  he's 

working  on,  the  software  that's  running,  and  then  the  server 
resources  that  the  account  is  being  created. 


8865 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O  J 


Q.  And  again,  briefly,  what  do  you  mean  by  - 

ADC [CPT  TOOMAN] :  [Standing  to  draw  attention  to  the  Court.] 

Q.  - "server" - 

MJ:  Yes? 

ADC [CPT  TOOMAN]:  Ma'am,  again  we'll  object  on  this  being 
cumulative. 

MJ:  Overruled. 

Q.  And  in  general  what  are  the  different  types  of  Exchange 

Server  resources  you're  talking  about?  Please  explain  for  the  court. 

A.  So  to  run  a  server,  you  have  the  physical  box,  or  the 

server  itself;  there's  the  power  that  supports  the  server;  there's 
the  room  that  the  server  has  to  sit  in;  there's  the  air  conditioner 
that  you  have  to  buy  to  cool  the  servers;  the  network  cabeling,  that 
all  has  to  be  built;  the  network  configuration  that  has  to  occur  to 
allow  the  servers  to  talk;  and  then  there's  also  the  update  and  the 
security  configuration  and  all  the  management  of  that  server. 

Q.  And  when  you  talk  about  management  of  the  server,  what  do 

you  mean? 

A.  Anything  from  daily  backups  to  reviewing  logs  for 

potential  problems.  With  e-mail  servers  specifically,  you'll  have  — 
if  you  type  an  e-mail  wrong,  it'll  hang  in  the  queue;  and,  again, 
with  tactical  networks  that's  an  issue  because  you're  —  it's  trying 
to  send  out  these  e-mails  and  it's  —  it's  bouncing  against  the  queue 


8866 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


O 


so  it  chugs  it  up;  so  you'll  go  in  and  check  your  queues,  make  sure 
your  queues  are  clear,  make  sure  somebody's  not  sending  out  the  10 
meg  PowerPoint  slide,  that  kind  of  thing,  so  somebody  periodically 
will  go  in  there  and  review  the  outbound  or  the  inbound  queue  and  see 

if  any  trouble's  locking  up  - 

Q.  Now  specifically  - 

A.  - your  server. 

Q.  -  what  about  for  the  GAL?  Well  before  —  I'm  sorry. 

Let  me  —  let  me  ask  this  before.  How  do  you  separate  the  resources, 
either  physical  resources,  equipment,  or  the  Soldier  resources  from 
operating  and  maintaining  and  creating  the  GAL  versus  everything  else 
you've  just  talked  about,  the  Active  Directory  and  the  other  portions 
of  Microsoft? 

A.  So  corporations  have  separated  that  pretty  well.  They'll 

have  Active  Directory  administrators;  they'll  have  Exchange 
administrators;  they'll  have  very  narrow  lanes.  For  the  Army,  we 
have  a  much  more  limited  pool,  especially  at  the  brigade  and  division 
level,  so  we  train  our  guys  how  to  do  everything,  which  gives  them  a 
much  wider  scope  of  authority  but  their  workload  increases,  which  is 
okay  because  we  work  12,  14  hours  a  day,  especially  deployed  so  we 
don't  really  care,  but  the  same  guy  that  creates  the  e-mail  server 
account  will  create  the  Active  Directory  account.  He  may  also  go  and 
set  up  the  client's  workstation,  so  it  may  be  one  guy  from  receiving 


8867 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o  o 


that  request  all  the  way  to  configuring  the  e-mail  client  on  the 
user's  workstation. 

Q.  And  then  going  back  to,  you  testified  just  a  moment  ago 

about  deconflicting  issues,  PowerPoint  slideshows  that  might  be  too 
big.  About  how  much  time  does  typically  a  Soldier  dedicated  to  those 
tasks  spending  [sic]  just  to  maintaing  the  GAL? 

ADC [CPT  TOOMAN] :  Objection;  personal  knowledge. 

TC [MAJ  FEIN]:  Your  Honor,  the  - 

MJ:  Over  - 

TC [MAJ  FEIN]:  -  United  States  - 

MJ:  - overruled. 

A.  So  maintaining  the  local  GAL  is  relatively  easy,  15,  30 

minutes  a  week  that  you  would  go  in  and  check  it.  As  soon  as  you 
take  that  address  list  and  connect  it  to  somebody  else,  such  as 
another  brigade  or  a  division  or  a  corps  or  something,  now  you've  got 
a  exponentially  growing  scope.  A  lot  of  what  we  saw  happen  was 
duplicate  e-mail  addresses,  because  as  long  as  everybody  put  them  in 
sequence,  everything  stayed  synced  and  you  only  had  one  copy,  but  if 
two  brigades,  for  instance,  connected  to  each  other  and  shared  the 
same  GAL,  so  if  this  brigade  and  this  brigade  are  sitting  right  next 
to  each  other  and  they  put  a  connector  in  without  direction  from 
division,  the  GAL  now  gets  replicated  twice  and  now  you  have 
duplicate  accounts  so  somebody  has  to  go  through  and  clean  that  up 


8868 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


a 


and  troubleshoot  it.  On  average,  I  would  say,  for  us,  for  1st  Cav, 
we  spent  anywhere  from  3  to  6  hours  a  week  working  on  GAL  or  address 
list-type  issues. 

Q.  And  that's  just  at  the  division  headquarters. 

A.  Yes,  sir. 

Q.  And  you  said  "local  GAL."  What  about  at  the  brigade 

headquarters? 

A.  So  brigade  would  be  the  local  GAL. 

Q.  Okay. 

A.  Wherever  the  local  server  is.  So  when  I  —  when  I  say 

"GAL,"  I  more  mean  the  entire  address  list  that's  been  shared  between 
more  than  one  server.  Technically,  it  is  correct  to  call  a  single 
address  list  on  a  single  server  a  GAL,  but  the  GAL  normally  infers 
that  you  have  a  much  larger  address  book  than  just  your  addresses. 
[Pause] 

Q.  How  many  Exchange  Servers  were  there  in  Iraq  in  2010? 

A.  In  2008,  there  was  a  large  number. 

Q.  Okay. 

A.  I  --  I'm  not  sure  in  2010. 

Q.  Is  an  Exchange  Server  common  at  the  brigade  level? 

A.  Yes. 

Q.  And  how  —  since  when  has  it  been  common  at  the  brigade 

level? 


8869 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


C  J 


A.  At  least  - 

Q.  What  year? 

A.  -  at  least  since  2004;  2004/2005.  When  we  started 

fielding  the  brigade  —  the  BCCS,  the  Battle  Command  Control  Systems, 
those  were  fielded  to  fill  that  gap  for  the  requirement  for 
commanders  to  have  e-mail  servers  in  the  field;  because  what  they 
found  was  that  commanders  were  deploying  and  they  weren't  able  to 
e-mail  because  the  network  connect  —  originally,  they  would  deploy 
with  the  concept  of  we'll  use  the  AKO  servers  and  try  to  use  that. 
Well,  even  when  we  try  to  use  Enterprise  Email  now,  we  run  into 
issues  over  the  Web,  so  instead  of  trying  to  force  commanders  to  talk 
to  their  people  that  worked  in  their  unit  across  AKO,  the  commanders 
were  having  their  S-6s  and  G6s  stand  up  e-mail  servers.  The  Army  saw 
that,  saw  the  need  for  it,  so  that's  why  they  fielded  the  BCCS 

systems  for  the  brigades  and  - 

TC [MAJ  FEIN]:  Ma'am  - 

A.  - that's - 

TC [MAJ  FEIN]:  Oh,  I'm  sorry;  go  ahead. 

WIT:  No.  I  was  going  to  say,  I  believe  that  started  occurring 

officially  at  about  2004/2005,  but  I  know  that  as  early  as  2003  all 
the  brigades  in  the  Baghdad  area  had  e-mail  servers. 


8870 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


O 


o 


TC [MAJ  FEIN]:  Ma'am,  the  United  States  offers  Chief  Rouillard 
as  an  expert  in  both  GAL  systems  and  their  values  and  cyber  threats 
to  the  Army  networks. 

[The  assistant  defense  counsel,  CPT  Tooman,  stood  up.] 

MJ:  Yes? 

ADC [CPT  TOOMAN]:  Your  Honor,  we  object  to  Chief  Rouillard  being 
qualified  as  an  expert  in  valuation,  and  if  we  would  have  the 
opportunity,  we  would  voir  dire  him  to  explore  that  further. 

MJ:  All  right,  what  about  the  rest  of  the  expertise? 

ADC [CPT  TOOMAN]:  Could  I  have  a  moment.  Your  Honor? 

MJ:  Yes. 

[The  assistant  defense  counsel  conferred  with  cocounsel.] 

ADC [CPT  TOOMAN]:  Ma'am,  we  have  no  objection  to  Chief  Rouillard 
being  an  ex  —  being  qualified  as  an  expert  with  respect  to  the  GAL 
generally  nor  do  we  have  an  objection  to  him  as  an  expert  in  cyber 
security. 

MJ:  All  right.  Government,  I  assume  you've  finished  with  your 

foundation,  so  I'm  going  to  allow  the  defense  to  voir  dire  on  the 

value  point  briefly. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

ADC [CPT  TOOMAN]:  Thank  you,  ma'am. 


8871 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


9 


VOIR  DIRE  OF  CHIEF  WARRANT  OFFICER  4  ARMOND  ROUILLARD 
Questions  by  the  assistant  defense  counsel  [CPT  TOOMAN] : 

Q.  Afternoon,  Chief. 

A.  Hey,  sir. 

Q.  Chief,  you  spoke  a  little  bit  about  a  lot  of  the  computer 

training  you  had  on  direct.  You  also  spoke  about,  you  know,  a  lot  of 
the  certifications  you  have.  Have  you  received  any  intelligence 
training,  like  MI  training? 

A.  I  have  not. 

Q.  Have  you  received  any  training  on  how  one  would  go  about 

valuing  something? 

A.  I'm  not  really  sure  I  understand. 

Q.  Have  you  gone  to  any  courses  where  you  were  instructed  on 

how  you  would  go  about  assigning  value  to  a  thing? 

A.  As  an  officer? 

Q.  As  an  officer,  as  a  civilian,  as  —  as  anything. 

A.  Well,  as  an  officer,  we  evaluate  the  value  of  things 

pretty  regular,  so  I'm  not  really  sure  —  no  official  training, 

Q.  Okay. 

A.  - other  than - 

Q.  And  what  - 

A.  -  other  than  warrant  officer  training  as  an  officer  in 

the  United  States  Army.  They've  taught  me  to  assess  the  value  of 


8872 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


9 


something.  I  mean  we  have  yearly  training  on  general  evaluation  of 
things  and  their  value. 

Q.  And  what  does  that  training  involve?  Or  actually  before 

I  ask  you  that,  what  sorts  of  things  do  you  assess  for  value? 

A.  So  —  so,  for  instance,  like  the  risk  assessment-type 

stuff.  We  go  —  we  all  —  all  Army  officers,  all  Army  personnel  go 
through  the  risk  assessment-type  methodology  on  how  to  assess  risk 
assessment,  right,  or  - 

Q.  Okay,  so  you've  —  you've  looked  at  assessing  risk.  Have 

you  --  have  you  had  any  instruction  on  how  to  assess  a  monetary  value 
to  something? 

A.  No,  sir. 

Q.  Okay. 

Do  you  have  any  specialized  knowledge  in  economics? 

A.  I  do  not. 

Q.  Have  you  taken  any  courses  in  economics? 

A.  Some  —  one  or  two  basic  college  level  courses,  but  not 

anything  specific.  I  think  I  took  —  it  was  a  while  ago,  so  not 
specifically,  no,  sir. 

Q.  Okay,  so  maybe  like  an  introductory  to  microeconomics  and 

macroeconomics  ? 

A.  Yeah.  I'd  have  to  go  back  and  look  at  my  transcript. 


8873 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q.  Have  you  ever  —  and,  of  course,  we  need  to  keep  all  of 

this  unclassified.  I  wouldn't  - 

A.  Uh-huh  [affirmative  response] . 

Q.  -  ask  you  to  respond  in  any  that  would  be  —  would 

elicit  classified  information. 

Have  you  ever  bought  e-mail  addresses? 

A.  I  have  not. 

Q.  Have  you  ever  sold  e-mail  addresses? 

A.  Have  not. 

Q.  Have  you  ever  attempted  to  buy  an  e-mail  address? 

A.  I  have  not. 

Q.  Have  you  ever  attempted  to  sell  an  e-mail  address? 

A.  Have  not. 

Q.  Have  you  ever  before  this  case  been  asked  to  assess  the 

value  of  e-mails? 

A.  No. 

Q.  Have  you  ever  before  this  case  been  asked  to  determine 

the  value  of  anything? 

A.  No. 

Q.  Monetary  value? 

A.  No;  no,  sir. 

Q.  Have  you  done  any  sort  of  studies  with  respect  to  how 

various  factors  affect  the  value  of  something? 


8874 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


No,  sir. 

So  nothing  on  supply  or  demand? 

No. 

Or  the  nature  of  information? 

No,  sir. 

And  how  that  might  contribute  to  value? 

Uh-uh  [negative  response] . 

In  your  Army  experience,  have  you  ever  assessed  anything 
for  value;  looked  at  it  and  said,  "This  is  worth  this  much?" 

A.  For  monetary  value? 

Right . 

No,  sir,  other  than,  like,  with  our  field,  with  servers 
as  they  get  nearer  to  lifecycle  replacement  or  something  of  that 
nature,  we  do  an  estimated  value  of  that  server.  We've  had  it  for  3 
years.  It's  more  cost-effective  to  replace  it.  The  type  of  —  that 
type  of  depreciation  value,  but  nothing  finite  and  accurate. 

Q.  Okay. 

And  you  were  asked  to  evaluate  the  value  of  the  e-mails, 
the  GAL  e-mails  that  are  implicated  in  this  case,  correct? 

A.  Yes,  sir. 

Q.  And  without  saying  what  determination  you  came  to,  how 

did  you  come  to  that  determination? 


A. 

Q. 

A. 

Q. 

A. 

Q. 

A. 

Q. 


Q. 

A. 


8875 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


C  9 


A.  So  open  source  intel.  E-mail  address  lists  are  for  sale 

on  the  Internet,  so  there's  actually  two  values.  There's  the 
monetary  value  and  then  the  threat  value. 

Q.  Okay. 

A.  The  monetary  value,  because  I  don't  have  prior  knowledge 

and  I'm  not  in  the  business  of  buying  or  selling  e-mail  addresses,  a 

simple  bing  or  Google  search  turns  up  a  number  of  e-mail  addresses 
available  for  sale.  You  can  go  here  and  buy  e-mail  addresses  or 
there,  and  so  you  can  do  a  comparative  cost  evaluation  based  on  that, 
since  it's  all  open  source. 

Q.  Do  you  know  if  that  is  a  common  way  to  value  e-mail 

addresses? 

A.  I  don't  know.  I  don't  sell  e-mail  addresses. 

Q.  Okay,  do  you  know  if  that  method  of  determining  value  has 

ever  been  review  —  peer  reviewed,  subject  to  peer  review? 

A.  I  do  not.  If  I  had  a  list  of  e-mail  addresses  that  I 

wanted  to  sell,  I  would  contact  that  site  and  see  how  much  they  would 
pay  for  me,  which  they  advertise  on  their  site. 

Q.  When  you  —  when  you  visited  those  Web  sites,  did  --  I 

guess  when  did  you  visit  those  Web  sites? 

A.  On  being  asked  for  this  case  when  I  had  the  discussions 

with  you  and  when  I  was  being  consulted  on  a  value  of  the  GAL, 
because  to  me  the  value  of  the  GAL  is  much  more  in  what  because  I 


8876 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


C  O 


protect  our  networks,  the  value  of  the  GAL  is  much  more  important  on 
what  somebody  can  do  with  that  data  than  just  selling  it. 

Q.  Sure. 

So  would  —  I  know  you  said  that  it  was  after,  obviously, 
this  started.  Do  you  recall  a  year  or  a  month  when  you  went  and  did 
those  type  —  those  Google  searches? 

A.  I  believe  the  first  one  I  did  was  --  I'm  trying  to  recall 

when  I  first  came  and  saw  you;  was  that  October/November ,  that  time 
frame?  I  honestly  don't  remember.  Whenever  —  whenever  I  first  sat 
with  you  is  the  first  time  and  then  I've  looked  a  couple  of  times 
since  then  and  then  as  recently  as  this  morning. 

Q.  Okay,  would  you  say  within  the  past  year  was  the  first 

time  you  ever  looked  it  up? 

A.  Yes,  sir. 

Q.  Okay. 

Did  you  —  did  you  contact  any  of  those  sites? 

A.  No,  sir. 

Q.  Do  you  know  if  those  sites  have  ever  actually 

successfully  bought  an  e-mail  address  - 

A.  I  don't  know  for  - 

Q.  -  at  the  price  advertised? 

A.  I  don't  know  for  a  fact;  no,  sir. 


8877 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


G 


J 


Q.  Okay,  and  do  you  know  if  they've  ever  actually  sold  an 

e-mail  address  for  the  price  advertised? 

A.  I  don't  know  for  a  fact;  no,  sir. 

ADC [CPT  TOOMAN] :  Okay. 

One  moment,  please.  Your  Honor. 

[The  assistant  defense  counsel  conferred  with  cocounsel.] 

ADC [CPT  TOOMAN]:  Your  Honor,  we  have  no  further  voir  dire 
questions,  but  if  I  may  just  lay  out  our  objection. 

MJ:  Go  ahead. 

ADC [CPT  TOOMAN]:  We  would  object  based  on  M.R.E.  702.  We  don't 
believe  that  the  witness  would  testify  based  on  sufficient  facts  nor 
do  we  believe  Google  searches  are  the  product  of  reliable  principles 
and  methods  of  valuation.  Also,  we  believe  those  Google  searches 
would  be  hearsay;  anything  that  Chief  Rouillard  would  testify  about 
regarding  those  Google  searches  would  be  hearsay,  and  so  under  M.R.E. 
703  we  would  suggest  those  should  be  excluded  since  they  are  unlikely 
to  be  relied  upon  by  valuation  experts,  people  who  do  this  as  their 
business . 

MJ:  All  right,  thank  you. 

Major  Fein? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Can  I  ask  why  you  didn't  elicit  some  of  these  things 

before  setting  up  the  foundation? 


8878 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


G 


J 


TC [MAJ  FEIN]:  Absolutely,  ma'am. 

The  reason  some  of  this  was  not  elicited  is  simply 
because  the  United  States  is  offering  him  as  a  cyber  threat  expert  to 
talk  about  the  second  prong  of  what  Chief  Rouillard  --  what  the 
defense  didn't  ask  about,  which  is  there's  two  different  sources  for 
him  to  evaluate  the  GAL.  The  defense  didn't  elicit  the  second 
source.  They  only  elicited  the  first  source,  which  is  open  source. 

So  if  I  may.  Your  Honor  - 

MJ:  So  am  I  assuming  you're  relying  on  the  second  source  and 

not  the  first  source  or  both? 

TC [MAJ  FEIN]:  The  second  source.  Your  Honor,  based  off  his 
since  19  —  the  mid-1990s  of  his  experience  in  this  field  and  what 
this  information  and  how  it's  used,  so  it's  the  - 

MJ:  So  are  you  - 

TC [MAJ  FEIN]:  -  second  source. 

MJ:  -  are  you  proposing  to  ask  further  questions  and  lay 

further  foundation? 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  Okay. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

[Pause] 

MJ:  So  before  you  do  that,  you  said  there's  two  different 

ways  to  evaluate  value.  What  are  those  ways? 


8879 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


< D  9 


TC [MAJ  FEIN]:  Ma'am,  may  I  ask  the  witness,  because  he  didn't 
actually  answer  the  question  of  the  defense? 

MJ:  All  right,  go  ahead. 

DIRECT  EXAMINATION  CONTINUED 
Questions  by  the  trial  counsel  [CPT  FEIN] : 

Q.  Chief,  what  are  the  two  sources  that  you  would  evaluate 

the  value  of  e-mail  addresses? 

A.  So  there's  —  there's  the  monetary  value  that  if  you  sell 

it  on  the  open  market  or  you  sell  it  to  a  commercial  entity  or 
corporation  looking  to  do  the  spam  mail-type  thing,  that's  normally 
not  what  the  Army  focuses  on. 

Another  —  much  more  dangerous  to  us,  as  the  Army  or  as 
the  government,  is  the  ability  to  use  those  e-mails  to  target 
individuals  in  the  military  with  those  e-mails.  So  using  this 
specific  —  can  I  use  this  specific  address  list  as  an  example,  the 
2d  Brigade,  10th  Mountain? 

Q.  Yes,  but  not  - 

A.  So - 

Q.  -  using  last  names. 

A.  Roger. 

So  the  2d  Brigade,  10th  Mountain  address  list,  for 
example,  is  a  group  of  military  members  who  work  on  Fort  Drum,  who 
are  on  a  deployment.  So  if  I  was  an  adversary  of  the  U.S.  Army  and  I 


8880 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


G  9 


wanted  to  target  a  group  of  individuals  and  I  had  those  e-mail 
addresses,  I  could,  for  instance,  pretend  to  be  —  I  could  craft  a  — 
what  we  call  a  "spear  phishing"  e-mail,  which  is  a  targeted  phishing 
e-mail.  So  you  have  "phishing"  and  then  you  have  "spear  phishing," 
and  so  the  phishing  e-mail  is  just  a  blanket  —  I  send  out  a  bunch  of 
e-mails.  I  hope  somebody  clicks  a  link  or  sends  me  a  response  back. 

A  spear  phishing  e-mail  is  much  more  targeted,  hoping  —  or  has  a 
higher  probability  of  user  interaction  or  user  response  or  user 
click.  So  if  I  craft,  for  instance,  a  spear  phishing  campaign  e-mail 
against  2d  Brigade,  10th  Mountain,  using  this  e-mail  —  this  GAL  list 
and  the  e-mail  says,  "I'm  from  the  PAO  on  Fort  Drum,  and  I'm  looking 
to  award  five  trips  to  Disneyland  and  twenty,  $100  gift  certificates. 
Fill  out  the  enclosed  pdf  and  send  it  back  to  me."  Many  Soldiers 
will,  through  experience,  click  that  link,  open  the  pdf,  fill  out  the 
pdf,  and  send  it  in. 

Q.  Is  that  typically  —  are  those  spear  phishing  endeavors 

typically  done  for  profit? 

A.  They  can  be. 

Q.  Okay. 

A.  And,  again,  the  profit  part  isn't  necessarily  what  Army 

network  defenders  focus  on. 

[The  assistant  defense  counsel,  CPT  Tooman,  stood  up.] 

MJ:  Yes. 


8881 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O  O 


ADC [CPT  TOOMAN] :  We  would  object  based  on  —  under  602, 
personal  knowledge  of  spear  phishing. 

MJ:  How  do  you  know  about  all  this? 

WIT:  Through  my  information  protection  technician  training. 

MJ:  Overruled. 

A.  And  so  we  actually  —  to  further  answer  that,  we  —  we're 

trained  specifically  on  using  spear  phishing  campaigns.  So  part  of 
the  cyber  OPFOR  mission  as  we  go  to  attack  the  —  or  simulate  the 
enemy  at  the  CTCs,  we  use  spear  phishing  campaigns  against  the 
brigades  that  are  in  the  NTC  or  JRTC  to  try  to  get  them  to  come  to 
our  Web  site  and  click  our  links  and  install  our  malware,  so  the 
enemy  uses  a  very  similar  tactic.  So  by  pretending  to  be  the  PAO,  he 
could  target  a  very  tar  --  he  could  —  he  could  send  out  this  e-mail 
campaign  against  a  very  targeted  group  of  individuals  who  we've  seen 
even  today  still  click  the  links  even  though  we  have  use  —  yearly 
training  and  the  user  agreement  they  sign  every  year  and  all  the 
other  training  we  give  them,  users  still  click  the  links;  and  that's 
why  we  use  this  is  to  highlight  when  you  click  these  links,  this  is 
what  happens,  because  ultimately  until  commanders  see  the  effect,  oh, 
it's  just  that  cyber  stuff  and  they  don't  want  to  mess  with  it,  so 
when  they  see  the  effect  of  my  G1  or  my  S-l  lieutenant  click  the  link 
that  was  part  of  the  spear  phishing  campaign,  her  box  was 


8882 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


Q 


9 


compromised,  and  now  somebody  stole  the  alert  roster  with  names  and 
social  security  numbers. 

Q.  And  what  experience  other  than  what  you  explained  quickly 

for  the  court  do  you  have  with  spear  phishing? 

A.  So  training.  I  was  trained  during  the  25  Sierra  course, 

and  then  this  is  also  one  of  our  methods  that  we  use  now  with  our 
cyber  OPFOR. 

Q.  Okay.  And  what  is  —  again,  what  is  the  ultimate  goal  of 

spear  phishers? 

A.  To  elicit  a  response  out  --  out  of  who  I  send  it  to,  so 

it  could  either  be  financial  or  it  could  be  compromise  of  that 
system. 

Q.  And  what  do  you  mean  by  "compromise"  of  the  system? 

A.  If  I  can  convince  a  user  or  if  someone  with  malicious 

intent  can  convince  a  user  to  click  a  link  and  visit  my  Web  site  that 
I  control,  I  can  then  install  a  program  on  their  machine;  because  the 
user  clicked  the  link,  it'll  grab  the  file,  installs  it  on  their 
computer,  and  then  opens  the  connection  back  to  my  machine.  When  it 
does  that,  with  my  machine  listening,  I  can  then  connect  back  to 
their  machine  with  their  user  credentials;  because  they  clicked  the 
link,  it  gives  me  access  into  their  box  as  if  I  was  them. 

Q.  And  then  you  mentioned  financial,  what  are  —  what  do  you 

mean  by  that? 


8883 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


U  9 


A.  So  I  could  be  just  trying  to  rip  you  off,  so  to  speak; 

send  in  10  —  fill  out  this  link  and  send  me  $25  to  enter  the  raffle 
for  the  PAO  five  Disney  vacation  giveaways,  or  something  like  that  of 
that  nature. 

Q.  And  in  your  experience  in  the  last  more  than  10  years 

dealing  with  Microsoft  Exchange  e-mails  and  cyber  threats,  have  you 
seen  those  types  of  spear  phish  e-mails  for  financial  gain? 

A.  Absolutely.  On  our  systems,  yes.  I  couldn't  give  you 

specific  examples,  but  we  have  gone  through  and  the  --  the  mail 
systems  that  the  Army  —  the  Exchange  Mail  Systems,  usually  we  sit 
those  behind  what's  called  a  "SMTP  gateway"  or  a  simple  mail 
transport  protocol  gateway,  so  we'll  have  a  gate  —  a  server  in  front 
that's  filtering  a  lot  of  the  spam  stuff,  which  will  —  it's  just 
another  configured  mail  server  type  applicance  that  gets  the  mail 
before  it  goes  to  the  mail  server;  that  will  stop  a  lot  of  the 
generic,  "Hi,  I'm  your  uncle  from  Yugoslavia;  send  me  $200  now  for 
$500,000  later."  That's  why  Army  systems  don't  get  that,  because  we 
have  very  good  spam  filtering  systems  in  place  on  the  garrison 
network.  Targeted  or  spear  phishing  is  much  harder  because  now  you 
have  a  —  first,  you  have  a  much  lower  list  that  you  send  out,  but 
second,  it's  targeted,  so  you're  sending  it  to  a  clear,  defined  list 
that's,  again,  military  personnel;  2d  Brigade,  10th  Mountain;  from 
Fort  Drum  and  so  it  bypasses  a  lot  of  the  security  that  it's  not 


8884 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


o 


normally  set  to  filter  that  —  it's  not  normally  in  the  subscription 
process  that  the  spam  filter  will  stop. 

Q.  And  approximately  how  many  years  of  experience  do  you 

have  with  these  types  of  spear  phishing  e-mails  that  elicit  money  or 

ask  for  money  - 

A.  Oh,  - 

Q.  - by  clicking - 

A.  -  spear  phishing's  been  around  since  e-mail,  I 

believe,  so  at  least  since  1995. 

Q.  And  how  often  since  1995  have  you  had  your  —  this 

firsthand  knowledge  —  experience  with  these  types  of  e-mails? 

A.  In  my  personal  mailbox  or  in  my  mili  —  oh  - 

Q.  Thank  you.  In  your  official  capacity  - 

A.  Oh,  as  far  as  protecting  against  them?  Since  - 

Q.  Yes. 

A.  -  since  about  —  since  first  Iraq  deployment  with  1st 

Cav,  so  about  2003/2004  and  I  became  responsible  for  the  mail  servers 
at  1st  Cav;  that's  where  we  really  focused  on  protecting  our  users 
from  spam  mail.  But,  again,  the  more  serious  threat  for  Army  guys 
was  people  clicking  the  link  or  downloading  the  malware  or  someone 
that  was  not  pleased  with  the  United  States  trying  to  exploit  our 
military  systems. 


8885 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O  Q 


Q.  So  what  are  the  different  —  so  you  mentioned  spear 

phishers  and  those  —  could  you  —  what  are  the  other  groups  of 
people  or  individuals,  groups,  that  would  use  e-mails  from  the  United 
States  Government? 

A.  So  part  of  our  25  Sierra  training,  we  kind  of  evaluate 

the  different,  what  I  call,  buckets  of  threat;  and  you'll  have 
everybody  from  --  it  starts  out  at  the  lowest  level,  and  we  use  this 
for  our  training  model  basically,  so  as  we  do  our  OPFOR  mission,  this 
mirrors  very  closely,  you'll  have  the  low-skilled  guys  who  are  just 
generally  displeased  with  the  government,  they  might  have  a  blog  page 
or  something,  and  say  we  don't  like  the  U.S.,  so  if  they  had  that 
list,  they  might  try  a  low-key,  general  spam  mail  to  the  whole  list. 
You  might  have  more  elite  hacker  groups,  like  Anonymous,  who 
potentially  could  use  it;  and  then  all  the  way  up  to  nation  state 
actors  that  would  wish  us  harm. 

Q.  What  do  you  mean  by  "nation  state  actors"? 

A.  So  any  other  country  that's  attempting  to  compromise 

military  networks  to  —  I'm  trying  to  stay  inbounds  —  but  military 
—  different  countries  that  are  trying  to  compromise  military 
networks  to  steal  our  intellectual  property.  So  as  an  example,  if  I 
was  in  a  country  that  didn't  like  the  United  States  and  I  could  get  a 
contractor  that  worked  on  a  government  project  to  click  on  a  link 
that  would  give  me  access  to  his  box,  I  could  then  have  complete 


8886 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


O 


9 


access  to  that  contract  project  that  he  was  working  on,  so  it's  not 
just  military  but  also  everybody  that  supports  us. 

Q.  And  then  what  about  corporations  or  other  corporate 

actors  trying  to  obtain  e-mails? 

A.  The  corporate  actors  would  probably  fall  into  more  of  the 

financial  gain.  My  experience,  I  haven't  seen  Microsoft  trying  to 
take  over  Army  systems,  but  if  they  were  looking  to  sell  Xboxes  to 
Soldiers  coming  back;  or  Ranger  Joe,  if  Ranger  Joe,  common  military 
Web  site  —  Web  site  —  a  common  Web  site  that  sells  military-type 
gear,  if  he  wanted  a  targeted  audience,  if  he  had  this  Global  Address 
List  of,  you  know,  the  majority  is  Army  guys,  then  he  has  a  much 
better  chance  of  getting  somebody  to  go  to  his  Web  site,  so  to  speak. 

TC [MAJ  FEIN]:  So,  Your  Honor,  the  United  States  renews  its 
moving  the  court  to  qualify  Chief  Rouillard  as  an  expert  in  valuating 
e-mails  from  —  well,  really  the  Global  Address  List,  Your  Honor,  not 
the  e-mail. 

MJ:  Well  that's  different  from  what  you  originally  asked  for; 

you  said  value. 

TC [MAJ  FEIN]:  Yes,  ma'am;  the  value  of  the  Global  Address  List. 

MJ:  Do  you  have  any  authority  to  present  to  the  court  that 

value  under  18  United  States  Code,  Section  641,  is  measured  in  any 
way  other  than  money? 


8887 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O 


TC [MAJ  FEIN]:  No,  ma'am.  It's  the  different  markets  on  how  the 
money  and  how  the  valuation's  done,  through  the  buyer's  market, 
thieves'  market,  and  the  United  States  would  argue  that  Chief 
Rouillard  has  at  least  —  the  defense  argues  that  he  has  not 
established  a  buyer's  market  based  off  known  ways  measuring  — 
because  he  went  on  Google  ahd  looked,  but  definitely  a  thieves' 
market  as  far  as  his  experience  with  over  more  than  10  years  of 
getting  e-mails  saying,  "Click  here,"  how  much  they're  paying,  and 
where  those  sources  of  those  e-mails  come  from,  that's  —  that  would 
be  the  authority.  Your  Honor,  or  at  least  how  the  evidence  would  go 
to  that.  So  it's  not  —  the  United  States  is  not  arguing  that  value 
is  measured  in  dollar  amounts.  We  agree  with  that.  It's  how  it  can 
be  measured  to  determine  that  dollar  amount.  And  the  United  States 
offers  that  Chief  Rouillard' s  opinion  on  that,  his  expert  opinion 
based  on  his  qualifications  and  experience,  could  aid  the  court  in 
understanding  its  monetary  value. 

[Pause] 

MJ:  All  right,  here's  what  I'm  going  to  do.  You  have  the 

witness  here  on  the  stand.  I'm  going  to  let  you  go  ahead  and  finish 
your  questioning.  I  want  the  government  to  provide  me  with 
authorities  for  how  value  is  measured. 

Defense,  you've  already  given  me  something,  but  you  can 
supplement  what  you've  already  given  me  on  the  thieves'  market  a  long 

8888 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


O 


time  ago,  and  I  will  decide  based  on  those  submissions  whether  I 
accept  this  or  not. 

ADC [CPT  TOOMAN] :  Ma'am,  the  defense  would  request  the 
opportunity  to  voir  dire  further  on  this  specific  issue. 

MJ:  You  can  do  it  on  cross-examination  because  that's  how 

we're  going  to  proceed. 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

TC [MAJ  FEIN]:  So,  ma'am,  for  purposes  of  this  pending 
objection,  the  United  States  would  move  into  the  opinion  testimony 
because  the  United  States  intends  to  elicit  factual  testimony  after 
that,  unrelated. 

MJ:  All  right,  so  go  ahead  and  —  so  that  you're  eliciting 

the  opinion  that  - 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  -  at  this  point  I  haven't  ruled  on  whether  I'm  going 

to  accept  or  not  - 

TC [MAJ  FEIN]:  Correct,  ma'am. 

MJ:  -  and  then  we're  going  to  move  on  to  something  else. 

TC [MAJ  FEIN]:  Yes,  ma'am,  and  I  - 

MJ:  Got  it. 

TC [MAJ  FEIN]:  -  will  notify  the  court  exactly  when  I'm 

moving  on. 

MJ:  Okay. 


8889 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


o 


9 


DIRECT  EXAMINATION  CONTINUED 
Questions  by  the  trial  counsel  [MAJ  FEIN] : 

Q.  Chief  Rouillard,  based  off  of  your  experiences  with  spear 

phishing,  how  much  does  a  foreign  adversary  would  —  how  much  would 
they  pay  for  blocks  of  e-mails  you  discussed  earlier,  like  2-10 
Mountain? 

ADC [CPT  TOOMAN] :  Your  Honor,  we'll  object  based  on  hearsay. 
M.R.E.  703  we  don't  believe  that  - 

MJ:  I've  already  said  I'm  going  to  listen  to  the  testimony 

and  decide  afterwards.  You  can  - 

ADC [CPT  TOOMAN]:  Yes,  ma'am. 

MJ:  -  put  it  all  down  in  the  brief  that  you'll  be  filing. 

WIT:  Could  you  repeat  the  question?  I'm  sorry. 

TC [MAJ  FEIN] :  Sure. 

Q.  Based  off  of  your  experience  with  spear  phishing,  - 

A.  Uh-huh  [affirmative  response] . 

q.  -  what  is  your  opinion  on  how  much  a  foreign  adversary 

would  pay  for  blocks  of  e-mails  like  the  2-10  Mountain  e-mail  block 
you  explained  earlier? 

A.  So,  honestly,  monetary  value  is  hard  for  me  to  assess; 

however,  it's  one  of  the  top  three  to  five  documents  that  I  would 
seek  from  an  adversary,  so  a  lot  of  --  one  of  the  first  things  we  do 
in  the  —  as  you're  trained  in  the  network  cyber-attack  methodology, 


8890 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 

23 


O  O 


one  of  the  first  things  you  do  is  gather  intel  or  open  source  intel, 
and  as  you  do  that,  you  might  visit  their  Web  sites  and  gather  the  e- 
mail  addresses  they  have  on  their  Web  sites  or  information  they  have. 
So,  for  instance,  if  I  was  interested  in  Army  Cyber,  I  would  go  to  AR 
—  ArmyCyber.us.army.mil  and  I  would  look  at  who  was  the  commander, 
what  his  bio  read,  and  that's  why  all  of  those  public  facing 
documents  go  through  a  very  stringent  examination  by  PAO  to  make  sure 
none  of  that  information  being  released  to  the  public  is  detrimental 
or  dangerous.  With  a  list  of  addresses  that  are  specific  to  that 
unit,  especially  with  reference  to  the  —  this  GAL  list,  in  2010,  the 
other  threat  was  the  first  part  of  that  e-mail  address  with  their 
user  account,  so  not  only  is  it  their  e-mail  account  but  because  we 
were  not  doing  the  smart  card  login  or  the  CAC  authentication,  it  was 
also  their  user  login;  and  so  then  all  I  have  to  have  is  their 
password  to  be  able  to  log  in  as  that  user.  So  for  us,  for  value 
it's  —  when  I  train  all  of  my  cyber  OPFOR  guys,  I  tell  them  this  is 
one  of  the  top  things  you  want.  It's  ultimately  one  of  the  first 
things  that  we  look  for  because  that's  our  gate  —  normal  attack 
methodology  in  is  to  send  out  some  type  of  spear  phishing  e-mail  to 
get  the  user  to  click  on  that  link  to  either  visit  our  Web  site  or 
install  our  malware. 

TC[MAJ  FEIN]:  Your  Honor,  may  I  have  a  moment? 

MJ:  Uh-huh  [affirmative  response] . 


8891 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 


G 


9 


[The  trial  counsel  conferred  with  co-counsel.] 

TC [MAJ  FEIN]:  Your  Honor,  to  make  this  easier,  the  United 
States  withdraws  qualifying  Chief  Rouillard  as  an  expert  in  the  GAL 
valuation,  so  the  United  States  will  not  ask  any  further  opinion  of 
Chief  Rouillard  on  that  topic. 

MJ:  You  want  me  to  disregard  the  testimony  that  was  just 

given? 

TC [MAJ  FEIN]:  Yes,  ma'am.  The  United  States  is  going  to  elicit 
similar  testimony,  just  fact-based  but  not  —  well  frankly.  Your 
Honor,  the  witness  did  not  give  the  actual  value,  so,  yes,  the  court 
disregard  that. 

MJ:  So  then  you  want  the  court  to  disregard  everything  that 

was  after  —  following  Captain  Tooman's  objection. 

TC [MAJ  FEIN]:  Yes,  ma'am. 

MJ:  All  right;  it's  done. 

TC [MAJ  FEIN]:  Your  Honor,  I'm  retrieving  from  the  court 
reporter  Prosecution  Exhibit  170  —  147bravo  and  148bravo. 

[The  trial  counsel  retrieved  the  exhibits.] 

Q.  Chief  Rouillard,  I'd  like  to  go  back  to  the  GAL  itself, 

A.  Uh-huh  [affirmative  response] . 


8892 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

21 

22 


g  q 


q.  -  the  creation  and  maintenance.  Earlier  you  testified 

about  —  you  testified  about  the  number  of  Soldiers  and  hours  those 
Soldiers  spent  - 

A.  Uh-huh  [affirmative  response] . 

Q.  -  on  the  creation  of  it.  What  is  the  typical  rank  of 

that  Soldier  who  creates  entries  into  the  GAL? 

A.  For  us,  normally  it  was  a  specialist  up  to  junior  NCO  at 

the  help  desk. 

Q.  And  that's  at  the  division? 

A.  That  was  at  the  division.  Brigade  was  staffed  very 

similar;  they  just  had  less  people.  And  then  for  the  creation  of 
important  accounts,  like  I  didn't  want  my  general's  account  screwed 
up,  so  I  would  create  it;  but,  - 

Q.  Okay. 

A.  -  in  general,  the  help  desk  managed  it  just  fine. 

TC [MAJ  FEIN]:  Your  Honor,  permission  to  publish  Prosecution 
Exhibit  147bravo. 

MJ:  Proceed. 

[PE  147b  was  published  and  displayed  on  the  electronic  projector.] 

Q.  Chief  Rouillard,  do  you  recognize  this? 

A.  Yes,  sir. 

Q.  What  is  it? 


8893 


INSTRUCTIONS  FOR  PREPARING  AND  ARRANGING  RECORD  OF  TRIAL 


USE  OF  FORM  -  Use  this  form  and  MCM,  1984, 
Appendix  14,  will  be  used  by  the  trial  counsel  and 
the  reporter  as  a  guide  to  the  preparation  of  the 
record  of  trial  in  general  and  special  court-martial 
cases  in  which  a  verbatim  record  is  prepared.  Air 
Force  uses  this  form  and  departmental 
instructions  as  a  guide  to  the  preparation  of  the 
record  of  trial  in  general  and  special  court-martial 
cases  in  which  a  summarized  record  is  authorized. 
Army  and  Navy  use  DD  Form  491  for  records  of 
trial  in  general  and  special  court-martial  cases  in 
which  a  summarized  record  is  authorized. 
Inapplicable  words  of  the  printed  text  will  be 
deleted. 

COPIES  -  See  MCM,  1984,  RCM  1103(g).  The 
convening  authority  may  direct  the  preparation  of 
additional  copies. 

ARRANGEMENT  -  When  forwarded  to  the 
appropriate  Judge  Advocate  General  or  for  judge 
advocate  review  pursuant  to  Article  64(a),  the 
record  will  be  arranged  and  bound  with  allied 
papers  in  the  sequence  indicated  below.  Trial 
counsel  is  responsible  for  arranging  the  record  as 
indicated,  except  that  items  6,  7,  and  15e  will  be 
inserted  by  the  convening  or  reviewing  authority, 
as  appropriate,  and  items  10  and  14  will  be 
inserted  by  either  trial  counsel  or  the  convening  or 
reviewing  authority,  whichever  has  custody  of 
them. 

1 .  Front  cover  and  inside  front  cover  (chronology 
sheet)  of  DD  Form  490. 

2.  Judge  advocate's  review  pursuant  to  Article 
64(a),  if  any. 

3.  Request  of  accused  for  appellate  defense 
counsel,  or  waiver/withdrawal  of  appellate  rights, 
if  applicable. 

4.  Briefs  of  counsel  submitted  after  trial,  if  any 
(Article  38(c)). 

5.  DD  Form  494,  "Court-Martial  Data  Sheet." 

6.  Court-martial  orders  promulgating  the  result  of 
trial  as  to  each  accused,  in  10  copies  when  the 
record  is  verbatim  and  in  4  copies  when  it  is 
summarized. 

7.  When  required,  signed  recommendation  of 
staff  judge  advocate  or  legal  officer,  in  duplicate, 
together  with  all  clemency  papers,  including 
clemency  recommendations  by  court  members. 


8.  Matters  submitted  by  the  accused  pursuant  to 
Article  60  (MCM,  1984,  RCM  1105). 

9.  DD  Form  458,  "Charge  Sheet"  (unless  included 
at  the  point  of  arraignment  in  the  record). 

10.  Congressional  inquiries  and  replies,  if  any. 

1 1 .  DD  Form  457,  "Investigating  Officer's  Report," 
pursuant  to  Article  32,  if  such  investigation  was 
conducted,  followed  by  any  other  papers  which 
accompanied  the  charges  when  referred  for  trial, 
unless  included  in  the  record  of  trial  proper. 

12.  Advice  of  staff  judge  advocate  or  legal  officer, 
when  prepared  pursuant  to  Article  34  or  otherwise. 

13.  Requests  by  counsel  and  action  of  the 
convening  authority  taken  thereon  (e.g.,  requests 
concerning  delay,  witnesses  and  depositions). 

14.  Records  of  former  trials. 

1 5.  Record  of  trial  in  the  following  order: 

a.  Errata  sheet,  if  any. 

b.  Index  sheet  with  reverse  side  containing 
receipt  of  accused  or  defense  counsel  for  copy  of 
record  or  certificate  in  lieu  of  receipt. 

c.  Record  of  proceedings  in  court,  including 
Article  39(a)  sessions,  if  any. 

d.  Authentication  sheet,  followed  by  certificate 
of  correction,  if  any. 

e.  Action  of  convening  authority  and,  if  appro¬ 
priate,  action  of  officer  exercising  general  court- 
martial  jurisdiction. 

f.  Exhibits  admitted  in  evidence. 

g.  Exhibits  not  received  in  evidence.  The  page 
of  the  record  of  trial  where  each  exhibit  was 
offered  and  rejected  will  be  noted  on  the  front  of 
each  exhibit. 

h.  Appellate  exhibits,  such  as  proposed  in¬ 
structions,  written  offers  of  proof  or  preliminary 
evidence  (real  or  documentary),  and  briefs  of 
counsel  submitted  at  trial. 


DD  FORM  490,  MAY  2000 


Inside  of  Back  Cover 


